Holla!
notice.log is extremely large before it rotates, sometimes 140G+. At times it rotates to another log with a timestamp added to it’s name. This happened after turning on other analyzers.
Is there a way to suppress notice.log or minimize the events written to it. The events in the other logs are more important.
There are also other logs that are extremely large as well, and I’m trying to balance processing and space vs the visibility.
Any advice appreciated.
Merci!
I could directly answer your question, but I don't think that's necessarily what you want.
notice.log rotates at 140GB+
Wow! That's a big notice.log. Do you load any custom scripts that generate notices to the notice framework? If you aren't monitoring an extremely large network, this could indicate that something is wrong. Which notes are most common in your notice.log?
Is there a way to suppress notice.log or minimize the events written to it?
Yes! You can suppress individual notices or the entire log. To suppress notices, you can take a look at the documentation on the Notice framework here: Notice Framework — Bro 2.6.1 documentation
To suppress the entire log, or parts of it... you'd have to use the logging framework: https://www.bro.org/sphinx-git/frameworks/logging.html
I'd recommend looking into why your notice.log is so big though. If you have many logs that are extremely large, it is possible that you are simply monitoring a LOT of traffic. You may have to pick and choose what Bro sees if you can't keep up with the logs, or you could apply some logging filters to cut down on the information that you don't care about.
Additionally, you can disable common notices that you don't care about. Consider adding some notices to Notice::ignored_types.
-Stephen
Wow! What notices do you have? It sounds like you may have a notice that is getting out of control and it might make more sense figuring out what's going on rather than just trying to muffle the creation of these notices.
.Seth
Thank you Stephen and Seth!
I am working still troubleshooting this issue, but I will update once it is resolved.
Cheers!