[Bro] Where are the log files when DNS monitoring ran by cli ?

Seth Hall seth at icir.org
Wed Oct 22 07:26:06 PDT 2014

On Oct 22, 2014, at 9:42 AM, John Donnelly <jdonnelly at dyn.com> wrote:

> No changes made to broctl.cfg !
> I am running bro outside of broctl .. are those setting read by bro during startup ?

I'm confused.  You first said that you weren't getting logs when you ran Bro outside of BroControl but then you said you were getting logs when you ran Bro with BroControl.  

If you run bro directly at the command line, it won't load any of the broctl scripts or implement any of the broctl configuration.  You are almost certainly seeing invalid checksums on one of the interfaces you're sniffing.  If you want to see if that's it, you could temporarily disable checksum checking with the -C flag on the command line.  I don't recommend running with that configuration for normal use though.

It seemed like you were also confused about where logs would be written when running bro directly.  They should be written to your current working directory by default. :)


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list