[Bro] [maintenance] what would cause a backlog/erasure in "...logs/current"?
dnthayer at illinois.edu
Wed Jan 21 08:38:05 PST 2015
On 01/08/2015 10:24 AM, Glenn Forbes Fleming Larratt wrote:
> My Bro cluster is happily flagging and accumulating data - but:
> 1. The last two hourly cycles left uncompressed logfiles in
> -rw-r--r-- 1 bro bro 73529 Jan 8 11:00 reporter-15-01-08_10.00.00.log
> -rw-r--r-- 1 bro bro 749059 Jan 8 11:00 tunnel-15-01-08_10.00.00.log
> -rw-r--r-- 1 bro bro 2474781 Jan 8 11:00 weird-15-01-08_10.00.00.log
> -rw-r--r-- 1 bro bro 17062559659 Jan 8 10:00 conn-15-01-08_09.00.00.log
> -rw-r--r-- 1 bro bro 2260979370 Jan 8 10:00 files-15-01-08_09.00.00.log
> -rw-r--r-- 1 bro bro 4942559737 Jan 8 10:00 http-15-01-08_09.00.00.log
> : etc.
> 2. No gzip processes were in evidence;
> 3. Figuring it might be the appropriate proverbial kick in the pants, I
> did a "broctl restart", which ran cleanly - and to all appearances,
> *erased* the older uncompressed files in question.
> I now have a hole where the data from 10:00-12:00 today used to be - can
> anyone shed light on what's going on here?
Has this happened more than once? Have you tried looking for
unarchived log files in /opt/app/bro/spool/tmp ?
If there were any unarchived log files in logs/current, then when
you do a broctl stop (or broctl restart), I would expect that they
would get moved into a subdirectory of spool/tmp/ (assuming that
you're using a recent version of broctl).
More information about the Bro