BroControl config to delete instead of archive on rotation

I don't, but you could try just changing broctl.cfg: CompressCmd = rm

Which really is just (very) lossy compression... :slight_smile:

I've been discussing the need for more fine-grained log expiration with
a couple of people, but it's hard to give people all the knobs that they
would need.


Josh Liburdi <> writes:

Thanks Vlad, that’s an interesting suggestion. We’re looking to minimize unnecessary file activity, so having an explicit option to delete instead of archive could be useful for some.

Doing that would result in an archived log file of zero length.
To truly delete the log would currently require modifications
to the archive-log script.

I think we already support this, it just was never intended to be used for this purpose:

The archive-log script does this:

# Run other postprocessors.
if [ -d "${postprocdir}" ]; then
    for pp in "${postprocdir}"/*; do
        nice "$pp" $@

# Test if the log still exists in case one of the postprocessors archived it.
if [ ! -f $file_name ]; then
    exit 0

So I think all one needs to do is

    ln -s /bin/rm /usr/local/bro/share/broctl/scripts/postprocessors/rm

Thanks for the feedback everyone.

Somewhat on this topic, have you guys ever thought about adding a socket writer (logging via the network) to Bro? That would be the most efficient way of minimizing disk I/O.

I've been meaning to write a ZMQ writer and an Exec writer (that you could just use to run something like netcat).