[Bro] Odd log problem - logs get archived as empty

Jeremy Hoel jthoel at gmail.com
Fri Mar 7 09:49:59 PST 2014


Well so I went to do our other bro installs and noticed that the one with
the 2.2 fresh install already had the commands but the ones we upgraded
from 2.1 to 2.2 did not.  So eh.. I don't know.

Plus, the 'broctl config' knew about the commands, but they weren't in the
.sh file.  So I'm not sure how/why that was different. But that is probably
totally be me not knowing how Bro works in detail.

I'm just helpful for the quick response of this list and that it wasn't
something simple that I had missed.



On Fri, Mar 7, 2014 at 5:37 PM, Robin Sommer <robin at icir.org> wrote:

> Sounds like we should add a check to broctl that when the version of
> either itself of Bro changes, it suggests doing an "install" if not
> done yet.
>
> Robin
>
> On Fri, Mar 07, 2014 at 17:15 +0000, Jeremy Hoel wrote:
>
> > Thanks for your help everyone.. I did the broctl install and then restart
> > and then at the next restart/rotate, things compressed like normal.
> >
> > I'll have to do a test install and see if those two lines are in
> > the broctl-config.sh by default.
> >
> >
> > On Fri, Mar 7, 2014 at 2:05 AM, Jeremy Hoel <jthoel at gmail.com> wrote:
> >
> > > Right right.. I so rarely change that; I forgot.  Thank you and I'll
> test
> > > that tomorrow.
> > > On Mar 6, 2014 6:42 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:
> > >
> > >> You need to do "broctl install" after upgrading (that will update
> > >> your broctl-config.sh file).
> > >>
> > >>
> > >>
> > >> On 03/06/2014 06:58 PM, Jeremy Hoel wrote:
> > >>
> > >>> So I added those two lines, restarted bro "broctl restart" waited a
> > >>> number of minutes, then restarted it again, the logs moved into the
> > >>> archive directory, but still end up emtpry and with the dot at the
> end.
> > >>>
> > >>> I'm heading home for the night, but I'll keep reading and checking
> out
> > >>> some things.
> > >>>
> > >>> Thanks!
> > >>>
> > >>>
> > >>> On Fri, Mar 7, 2014 at 12:51 AM, Jeremy Hoel <jthoel at gmail.com
> > >>> <mailto:jthoel at gmail.com>> wrote:
> > >>>
> > >>>     # grep compress /usr/local/bro/spool/broctl-config.sh
> > >>>     compresslogs="1"
> > >>>
> > >>>
> > >>>     That is interesting.  So it's missing the two lines:
> > >>>     compresscmd = gzip -9
> > >>>     compressextension = gz
> > >>>
> > >>>     I'll add those and restart and see what happens
> > >>>
> > >>>     Side note - this is an upgrade from 2.1 to 2.2
> > >>>
> > >>>     And i think/thought it was working in 2.1
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>     On Fri, Mar 7, 2014 at 12:43 AM, Justin Azoff <JAzoff at albany.edu
> > >>>     <mailto:JAzoff at albany.edu>> wrote:
> > >>>
> > >>>         On Fri, Mar 07, 2014 at 12:11:09AM +0000, Jeremy Hoel wrote:
> > >>>          > #  broctl config | grep compress
> > >>>          > compresscmd = gzip -9
> > >>>          > compressextension = gz
> > >>>          > compresslogs = 1
> > >>>          >
> > >>>          >
> > >>>          > If the variables are blank, wouldn't, worst case, it copy
> the
> > >>>         files in and just
> > >>>          > have them be big?
> > >>>
> > >>>         not sure.. the command it runs is:
> > >>>
> > >>>              nice ${compresscmd} <$1 >$dest.${compressextension}
> > >>>
> > >>>         if compresslogs is not 1, then it just runs
> > >>>
> > >>>              nice cp $1 $dest
> > >>>
> > >>>         Your logs have a '.' at the end so it is clearly trying to do
> > >>>         something,
> > >>>         but not having the right variables there.
> > >>>
> > >>>         You should have one or more 'broctl-config.sh' files
> > >>>
> > >>>         something like:
> > >>>
> > >>>              /usr/local/bro/spool/broctl-config.sh
> > >>>
> > >>>         try
> > >>>
> > >>>              grep compress /usr/local/bro/spool/broctl-config.sh
> > >>>
> > >>>         you should get the same output.
> > >>>
> > >>>         --
> > >>>         -- Justin Azoff
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>
>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 *     robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 * www.icir.org/robin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140307/e1ec5ec3/attachment.html 


More information about the Bro mailing list