[Bro] Status crashed

Mike Patterson mike.patterson at uwaterloo.ca
Mon Jun 3 04:10:11 PDT 2013

On 2013-06-02, at 8:53 PM, Seth Hall <seth at icir.org> wrote:

> On Jun 1, 2013, at 10:21 AM, James Lay <jlay at slave-tothe-box.net> wrote:
>> So…at some point in time, my bro crashed.  I lost about 4 days worth of data.  I checked syslogs and found no indication of this…is there any way to get a log or notification or something when this happens?  Thank you.
> Do you have a cron job installed to run the "broctl cron" command?
> Also, you probably want to check that the cron command is enabled with "broctl cron ?"

And in the belt-and-suspenders approach, you probably want to monitor the status of the processes with Nagios, Zabbix, or some other system/host monitoring system. If my number of Bro processes drops below a certain figure, I get an email. Could be a page if I wanted it to be. And while you're configuring Bro monitoring, you might as well go ahead and monitor other things that can affect your monitor: free disk space, CPU, free RAM, dropped packets on the network interface, etc.

This doesn't help you *this* time, but if there's a next time, you'll at least find out about it before more than several days have gone by.


