Hi folks,
I was wondering if anyone had a recipe for changing the log rotate
script to rotate bro logs like regular log rotate does
notice.log
notice.log.1
notice.log.2
notice.log.3
etc
vs
notice.log-10-11-15_13.00.00
notice.log-10-11-15_14.00.00
notice.log-10-11-15_15.00.00
notice.log-10-11-15_16.00.00
etc
And extra points for cleanup of "old" logs.
Thought I'd ask before I did it myself.
Thanks,
-Tim
I'm thinking about how to implement this, but I had some questions. Are you using BroControl so your logs are being put into directories by day? How do you see these log names working in that context? Would each day have logs named like: *.0, *.2, *.3, ..., *.23?
Or are you asking about creating logs named this way outside of the context of BroControl?
.Seth
Hi Tim,
I use logrotate.
It was made for Linux, but is ported to FreeBSD
(/usr/ports/sysutils/logrotate/). Very configurable for log management.
Check out this resource for an example config and online documentation:
http://www.linuxconfig.org/Logrotate
HTH
Cheers!
Christopher
Well, right now I'm just using straight bro (the binary) because I'm in the middle of debugging a script, but ultimately it will move to brocontrol.
I have only limited experience with BroControl at this point though (I ran it and started a script) I haven't experienced BroControl's handling of log files yet.
I guess I'm just looking to simulate what regular old linux does with logs and logrotate; everything goes into one directory, or a subset of that one directory (for instance httpd logs in the subdirectory /var/log/httpd/) and then logrotate coming around and making .1, .2, etc at some interval.
It'd be equally acceptable to me if I could just change the bro log file name to not be a timestamp, and then have logrotate work like it does naturally.
Can I redef the build_name function in rotate logs and just return a string like "messages" and then bro would create a regular file called "messages" without the extra timestamp text, filename suffix, etc??
If I were to let logrotate handle rotating of the bro log, I'd also want to tell bro to never rotate it's own file, and then in the logrotate config specify "copytruncate" to prevent bro from losing any open handles to it's log file right?
I approached the log rotate question as a function of bro, but maybe in my case I would be happy with what I described above?
-Tim
Seth Hall wrote:
Can I redef the build_name function in rotate logs and just return a string like "messages" and then bro would create a regular file called "messages" without the extra timestamp text, filename suffix, etc??
Instead of doing that, you should be able to just not load the rotate-logs.bro script. This changes if you are running broctl though because there is some small amount of log rotation logic contained there and rotate-logs.bro is loaded by some of the broctl scripts. Just be aware that the all.bro and the (deprecated) brolite.bro script both load rotate-logs.bro.
If I were to let logrotate handle rotating of the bro log, I'd also want to tell bro to never rotate it's own file, and then in the logrotate config specify "copytruncate" to prevent bro from losing any open handles to it's log file right?
After looking at the logrotate man page, I think you are correct. If you find that that option works with Bro, could you please report back?
I approached the log rotate question as a function of bro, but maybe in my case I would be happy with what I described above?
When you make the move to BroControl, you may find that you are actually just fine with how it does log rotation. I haven't heard any complaints about how it manages the logs at least.
I think it's probably worthwhile to think of the logs that Bro outputs as different from your system logs since that's the primary output of the application. The logs are more equivalent to the database that a web application might use and less comparable to the logs that the web server running the web application outputs.
.Seth