[Bro] Revisiting log rotate only

James Lay jlay at slave-tothe-box.net
Mon Jan 19 05:57:35 PST 2015


On Sat, 2015-01-17 at 07:37 -0700, James Lay wrote:

> Hey all,
> 
> I posted about this last August here:
> 
> http://mailman.icsi.berkeley.edu/pipermail/bro/2014-August/007329.html
> 
> I also noticed someone have a disappearing log event which I have seen
> before  as well here:
> 
> http://mailman.icsi.berkeley.edu/pipermail/bro/2015-January/007935.html
> 
> I documented my process on installing bro on Ubuntu 14.04 using just
> log rotation below:
> 
> sudo apt-get -y install cmake
> sudo apt-get -y install python-dev
> sudo apt-get -y install swig
> cp /usr/local/bro/share/bro/site
> cp /opt/bin/startbro <- command line bro with long --filter line
> cp /opt/bin/startbro to /etc/rc.local
> sudo ln -s /usr/local/bro/bin/bro /usr/local/bin/
> sudo ln -s /usr/local/bro/bin/bro-cut /usr/local/bin/
> sudo ln -s /usr/local/bro/bin/broctl /usr/local/bin/
> sudo ln
> -s /usr/local/bro/share/broctl/scripts/archive-log /usr/local/bin/
> sudo ln
> -s /usr/local/bro/share/broctl/scripts/broctl-config.sh /usr/local/bin/
> sudo ln
> -s /usr/local/bro/share/broctl/scripts/create-link-for-log /usr/local/bin/
> sudo ln
> -s /usr/local/bro/share/broctl/scripts/make-archive-name /usr/local/bin/
> git clone https://github.com/jonschipp/mal-dnssearch.git
> sudo make install
> 
> specifics on log rotate only:
> 
> add the below to local.bro
> redef Log::default_rotation_interval = 86400 secs;
> redef Log::default_rotation_postprocessor_cmd = "archive-log";
> edit the below in broctl.cfg
> MailTo = jlay at slave-tothe-box.net
> LogRotationInterval = 86400
> sudo /usr/local/bro/bin/broctl install
> 
> Besides the edits to broctl.cfg, file locations are the default.  The
> above works well usually...it's after a reboot I have found things go
> bad.  Usually logs get rotated at midnight and I get an email with
> statistics, just what I need.  I rebooted the machine on the 13, and
> that's the last email or log rotation I got....this morning I see
> current has files and my logstash instance has data so I believe the
> rotation got..."stuck".  I'm kicking myself for not heading/tailing
> the files first, but after issuing a "sudo killall bro", those file in
> current vanished, no directory was created, and I received no email,
> that data is now gone (no big deal as this is at home).  I decided to
> run broctl install again, then start and kill bro one more time.  At
> that point, I got a new directory with log rotation and an email with
> minutes or so of stats.  Please let me know if there's something I can
> do on my end to trouble shoot.  Thank you.
> 
> James 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


Confirming that this method is no longer working.  Heading my connlog
file I see:

#open	2015-01-19-00-00-05

my /usr/local/bro/logs is completely missing Jan 18th.  From my
broctl.cfg:

SpoolDir = /usr/local/bro/spool
LogDir = /usr/local/bro/logs
LogRotationInterval = 86400

>From my /usr/local/bro/share/bro/site/local.bro:

redef Log::default_rotation_interval = 86400 secs;
redef Log::default_rotation_postprocessor_cmd = "archive-log";

Anything else I can do to debug this?  Thank you.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150119/31353507/attachment.html 


More information about the Bro mailing list