We have one particular bro log that fills up much faster than all the others. Is there a way to rotate that one log one a different timetable than the others?
I found this in the documentation which seems to indicate that it is possible (the example given is for the conn.log):
https://www.bro.org/sphinx-git/frameworks/logging.html#rotation
event bro_init()
{
local f = Log::get_filter(Conn::LOG, “default”);
f$interv = 30 min;
Log::add_filter(Conn::LOG, f);
}
Can you put this script into /usr/local/bro/share/bro/site/local.bro to force only that log to rotate on a different schedule?
Thanks.