delay compress bro log rotation

Good afternoon,

Is there a way to enable a “delay compress” type command (like in logrotate) for bro/broctl cron? I want to post process log files and it would be much more efficient if they were uncompressed.

Hello Brandon,

Is there a way to enable a "delay compress" type command (like in
logrotate) for bro/broctl cron? I want to post process log files and it
would be much more efficient if they were uncompressed.

As far as I am aware, there is no command that delays compression of the
logs. However, you should be able to install custom postprocessing scripts
into broctl, which will be run on the uncompressed log files - this is how
the default connection summary reports are generated.

I never tried this, but I think you should just be able to add a script to
the "postprocessors" directory in broctl, and it should be called on
log-rotation for every log-file. You can use the implementation of the
script that generates the connection summary as a guideline on how to
implement this:
https://github.com/bro/broctl/tree/master/bin/postprocessors

I hope this helps,
Johanna