[Bro] logs in bro/spool/manager not consistent with archived logs

Daniel Thayer dnthayer at illinois.edu
Thu Jun 18 12:09:40 PDT 2015


Correct.  The naming convention used for the archived logs
is to organize them by day (each day gets its own subdirectory under
the "logs" directory), and the filename of each log contains
the time range of that log.  For example, conn.06:00:00-07:00:00.log.gz
is the conn.log for the time period 6:00am to 7:00am.


On 06/18/2015 01:46 PM, Duba, Andrew wrote:
> Right.  The ³logs² directory has compressed versions of the files that are
> under ³current² but all I¹m seeing under current are the 5 logs which do
> not map to the naming scheme in the archived directories.
>
> -Andrew
>
> On 6/18/15, 1:23 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:
>
>> The directory "spool/manager" is where the current (i.e., active) logs
>> are located.  The "logs" directory is where the archived logs are
>> located.  Logs are archived according to the log rotation interval
>> specified in your configuration.
>>
>>
>> On 06/18/2015 01:13 PM, Duba, Andrew wrote:
>>> I¹m running bro in my test environment and if I do an ls on the
>>> directory where current logs are supposed to be stored I get this
>>>
>>> root at spot:/usr/local/bro/logs# ls /usr/local/bro/spool/manager
>>>
>>> communication.log  loaded_scripts.log  reporter.log  stderr.log
>>> stdout.log
>>>
>>>
>>>
>>> If I run  an ls in one of the archived directories I get this
>>>
>>>
>>> app_stats.00:00:00-01:00:00.log.gzconn.06:00:00-07:00:00.log.gzdpd.07:00:
>>> 00-08:00:00.log.gzknown_services.00:00:00-01:00:00.log.gzreporter.12:49:5
>>> 6-12:58:35.log.gzssl.12:00:00-13:00:00.log.gz
>>>
>>>
>>> app_stats.01:00:00-02:00:00.log.gzconn.07:00:00-08:00:00.log.gzdpd.08:00:
>>> 00-09:00:00.log.gzknown_services.01:00:00-02:00:00.log.gzreporter.13:02:3
>>> 8-13:06:00.log.gztunnel.07:00:00-08:00:00.log.gz
>>>
>>>
>>> app_stats.02:00:00-03:00:00.log.gzconn.08:00:00-09:00:00.log.gzdpd.09:00:
>>> 00-10:00:00.log.gzknown_services.09:00:00-10:00:00.log.gzsnmp.00:00:00-01
>>> :00:00.log.gztunnel.08:00:00-09:00:00.log.gz
>>>
>>>
>>> app_stats.03:00:00-04:00:00.log.gzconn.09:00:00-10:00:00.log.gzdpd.10:00:
>>> 00-11:00:00.log.gzknown_services.12:00:00-13:00:00.log.gzsnmp.01:00:00-02
>>> :00:00.log.gztunnel.10:00:00-11:00:00.log.gz
>>>
>>>
>>> app_stats.04:00:00-05:00:00.log.gzconn.10:00:00-11:00:00.log.gzdpd.11:00:
>>> 00-12:00:00.log.gzloaded_scripts.12:45:56-12:58:35.log.gzsnmp.02:00:00-03
>>> :00:00.log.gztunnel.11:00:00-12:00:00.log.gz
>>>
>>>
>>> app_stats.05:00:00-06:00:00.log.gzconn.11:00:00-12:00:00.log.gzdpd.12:00:
>>> 00-13:00:00.log.gzloaded_scripts.12:58:38-13:00:00.log.gzsnmp.03:00:00-04
>>> :00:00.log.gztunnel.12:00:00-13:00:00.log.gz
>>>
>>>
>>> app_stats.06:00:00-07:00:00.log.gzconn.12:00:00-13:00:00.log.gzfiles.00:0
>>> 0:00-01:00:00.log.gznotice.00:00:00-01:00:00.log.gzsnmp.09:00:00-10:00:00
>>> .log.gzweird.00:00:00-01:00:00.log.gz
>>>
>>>
>>> app_stats.07:00:00-08:00:00.log.gzconn-summary.00:00:00-01:00:00.log.gzfi
>>> les.01:00:00-02:00:00.log.gznotice.01:00:00-02:00:00.log.gzsnmp.10:00:00-
>>> 11:00:00.log.gzweird.01:00:00-02:00:00.log.gz
>>>
>>>
>>> app_stats.08:00:00-09:00:00.log.gzconn-summary.01:00:00-02:00:00.log.gzfi
>>> les.02:00:00-03:00:00.log.gznotice.02:00:00-03:00:00.log.gzsnmp.11:00:00-
>>> 12:00:00.log.gzweird.02:00:00-03:00:00.log.gz
>>>
>>>
>>> app_stats.09:00:00-10:00:00.log.gzconn-summary.02:00:00-03:00:00.log.gzfi
>>> les.03:00:00-04:00:00.log.gznotice.03:00:00-04:00:00.log.gzsoftware.00:00
>>> :00-01:00:00.log.gzweird.03:00:00-04:00:00.log.gz
>>>
>>>
>>> app_stats.10:00:00-11:00:00.log.gzconn-summary.03:00:00-04:00:00.log.gzfi
>>> les.04:00:00-05:00:00.log.gznotice.04:00:00-05:00:00.log.gzsoftware.01:00
>>> :00-02:00:00.log.gzweird.04:00:00-05:00:00.log.gz
>>>
>>> Š
>>>
>>>
>>> Is there a configuration directive that I¹m missing?
>>>
>>> Thanks in advance for any help.
>>>
>>> -Andrew
>>>
>>>
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>


More information about the Bro mailing list