is there a standars config option for pruning historical logs?

Yes, I know it is trivial but if there is a built in way to do it I would rather use it! That way when someone changes the log directory between release it keeps working :wink:

I am putting much of the data into elsa so there isn't much point in keeping it hanging around in bro-logs for long.


Hello Russel:

Here is a conf setting in your broctl.cfg :

# Expiration interval for log files in LogDir. Files older than this many days
# will be deleted upon running "broctl cron".
LogExpireInterval = 30

# Lower threshold for space available on the disk that holds SpoolDir. If less
# space is available, BroControl starts sending out warning emails.
MinDiskSpace = 5

Thanks! I had seen that. In my case bro shares a partition with several other disk hungry apps (streamdb and elsa) so I need something with more control then free disk space.

Either number of days or an absolute quota. Absolute quota is safest.

I probably add a cron job to monitor disk usage and prune files from the log directory as needed.

Any interest in me adding this to broctl's cron job?

KeepDays = <digits><units>
LogSizeLimit = <digits><units>


Right!! The 'interval' confused me. I thought it was the interval between checking!

I thought it odd that some time based expiry was not supported out of the box!


In addition to the options you found another option is to use cron jobs
to have per log file retention periods. I do something like this:

    @daily root find /usr/local/bro/logs/ -name 'http*' -mtime +6 | xargs rm -f
    @daily root find /usr/local/bro/logs/ -name 'ftp.*' -mtime +6 | xargs rm -f

to only keep http and ftp logs for a week. Once the 'big' log files are
removed a days logs are < 100M instead of 10G