[Bro] debugging script

Azoff, Justin S jazoff at illinois.edu
Thu Aug 4 09:56:11 PDT 2016

> On Aug 4, 2016, at 12:21 PM, Johanna Amann <johanna at icir.org> wrote:
> Hi,
>> After changing the file contents, the new data doesn't seem to be making it
>> into the table. I tried adding print statements into the 'event entry' but
>> not sure where those prints are going. Where do the output of the print
>> statements go on a running system (i.e. a cluster)? Is there a way for me
>> add some debugging info into scripts i.e. printf like debugging? Any
>> pointers are much appreciated... thanks.
> When you are running with broctl, I think the print output goes into
> [install-base]/spool/[nodename]/stdout.log.
> So, e.g. [base]/spool/worker-1/stdout.log.

One gotcha with this (that has tripped me up an embarrassing number of times and as most recently as yesterday) is that those files are buffered.

If you only print a few lines, nothing will be written to stdout.log until bro stops.  To fix that, you can just do


Or if you are doing a lot of testing, have this in place:

event flush() {
	schedule 5sec { flush() };

event bro_init() {
	schedule 5sec { flush() };

I vaguely remember there is a way to just set all files to be non-buffered.. though hard flushing every few seconds probably is better for performance.

- Justin Azoff

More information about the Bro mailing list