Different delimiter for archived log files?

SwedishMike · December 6, 2017, 8:31am

All,

I’ve been looking through the documentation and config files but haven’t found anything relating to this - chances are still big that I’ve missed it so please let me know if I have.

At the moment log files that gets rotated out/archived looks like this:

conn.17:00:00-18:00:00.log.gz

What causes trouble on certain operating systems here is the : (colon) character. For example under Windows it is an invalid character for a file name. If you try to copy the file off your Bro server, or some other off-host storage that supports the file name, onto a Windows host it fails.

Sadly there’s occasions when I need to get these files across to a Windows host which means that I have to manually rename the files before I copy them across.

Is there any configuration setting where this could be changed or would this be a feature request for a future version?

Thanks in advance, Mike

Jon_Siwek · December 6, 2017, 4:34pm

There's a bit in the broctl faq about changing format of archived
filenames that you can try out:

https://www.bro.org/sphinx/components/broctl/README.html#questions-and-answers

Basically says to set the MakeArchiveName option in your broctl.cfg to
point at a custom script which outputs your desired format and you can
use the existing make-archive-name script as an example.

- Jon

SwedishMike · December 6, 2017, 5:24pm

Jon,

Sweet - many thanks for that. I’ll give that a go.

Just shows how well I can read/search for info.

Cheers, Mike

Topic		Replies	Views
Bro 1.5 Zeek	2	104	May 6, 2022
archive-log process apparently failing Zeek	2	145	May 6, 2022
BroControl config to delete instead of archive on rotation Zeek	6	82	May 6, 2022
archive-log process apparently failing Zeek	1	78	May 6, 2022
Another Doubt Zeek	2	122	May 6, 2022

Different delimiter for archived log files?

Related topics