Hi all,
If I am not mistaken, Bro/Zeek cycles logs hourly.
This cycle is causing some unpredictable behavior in my tailing algorithm.
If i could set it to cycle every 5 minutes rather than on the hour, it would be very beneficial to testing and resolving issues.
Is there a way I can reduce the amount of time Bro takes in between log cycles?
Thanks!
Hello Michael,
In your broctl.cfg file, you can set the rotation interval to 300
seconds with:
LogRotationInterval = 300
Also, if you want to disable gzip on rotation, use this:
CompressLogs = 0
Brgds,
Peter
Hi Michael,
You should be able to do this by changing the “LogRotationInterval” variable in /opt/bro/etc/broctl.cfg (assuming you installed bro in /opt/). By default it’s set to 3600 seconds (1 hour), so setting this to 300 should change this to 5 minutes. You’ll then have to stop Bro (broctl stop) and redeploy (broctl deploy) for the changes to take effect.
Hope that helps!
Eric
ericooi.com
In broctl.cfg, you can set
LogRotationInterval = 300