[Bro] question about intel files

Azoff, Justin S jazoff at illinois.edu
Wed Aug 3 07:51:04 PDT 2016

> On Aug 3, 2016, at 10:42 AM, philosnef <philosnef at yahoo.com> wrote:
> Because, on boxes where we arent consistently rebooting bro, we are having oomkiller nuking splunk and bro.

Ok.. because before you said "At no point is oomkiller called"

I'm assuming that you have a cron job or something running broctl restart every 8 hours.

Can you add a script that does this, once per hour or so (and set to run at a particular minute so it runs before the job that restarts bro runs)

free -m
top -a -b -n 1
broctl top

and sends that to a file, then show us what that says after a day or so?

If you've been showing us system information from immediately after bro is restarted and not while the problem is occurring then that data isn't very useful.

