[Bro] Take action on a notice?
jessebowling at gmail.com
Tue Apr 16 08:29:16 PDT 2013
In fact my workers have completely stopped processing packets as well; I'll
look at this incantation and see if that works for me. Although I need to
just solve the problem, I thought it might also be a good problem to force
me into delving into the scripting language itself. :)
On Tue, Apr 16, 2013 at 9:49 AM, Justin Azoff <JAzoff at albany.edu> wrote:
> On Tue, Apr 16, 2013 at 09:37:06AM -0400, Jesse Bowling wrote:
> > I'm regularly seeing PacketFilter::Dropped_Packets notices in my logs,
> which I
> > believe are related to an issue with the version of PF_RING that I'm
> using. I'm
> > in the midst of getting it upgraded, but in the meantime I'd love to be
> able to
> > take an automated action on these notices (i.e., automatically restart
> > worker process that's dropping packets).
> > I know all the parts for doing this are in the archives somewhere, but
> > someone mind giving me at least the high-level steps? My brogramming is
> > at best...
> I use this, but it is for restarting workers that have completely
> stopped processing packets:
> */5 * * * * root sleep 5 ; grep -s -P "\t0\t0\t0"
> /usr/local/bro/logs/current/capture_loss.log && restart_bro
> restart_bro is just a script that uses broctl to restart bro and sends
> -- Justin Azoff
> -- Network Security & Performance Analyst
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro