Question on log rotation

Gary_Faulkner · December 19, 2013, 11:57pm

I had a situation where log rotation and post-processing (summary emails) were not completing. New logs would get started and each previous hour's logs renamed, but not get compressed and moved, which means that many of the previous logs were still in /current (or are they really in <path-to-bro>/spool/manager?). In any case upon stopping bro via broctl it appears that only the most current log got processed and archived while all of the logs in between that never got processed seem to simply have gotten deleted. Are those logs simply lost or somewhere other than the dated archive folder and /current folder? If so, is this expected behavior, or is there normally something that would check to see if previous logs failed to rotate out?

Regards,

ericooi · December 20, 2013, 1:45am

I’ve noticed this before on Bro 2.1. I ended up writing a quick python script and configured it as an hourly cron job to complete the compression and move. I’ve attached it here. Hope this helps.

Eric

bro_missed_rotate.py (2.05 KB)

Gary_Faulkner · December 20, 2013, 2:33am

Thank you, that should actually be very helpful, and not just for this problem, but also because I have a couple python books on my reading list over winter break, along with Applied NSM.

~Gary

Topic		Replies	Views
archive-log process apparently failing Zeek	2	145	May 6, 2022
archive-log process apparently failing Zeek	1	78	May 6, 2022
Bro 2.5 and log rotation Zeek	3	143	May 6, 2022
Bro 1.5 Zeek	2	104	May 6, 2022
broctl cron not rotating logs? Zeek	2	85	May 6, 2022

Question on log rotation

Related Topics