Ben McDowall
Fri Aug 5 23:14:05 PDT 2016

Sorted now. Rebooted my guest that didn't work. Rebooted my host platform now all working. Strange as.

:) As you all were

Just a thought... Are you sure that no one has changed the network around and that the HTTP traffic is still passing the bro sensor? If it creates the log then it sees something and is working (for the moment, assume correctly). If it saw nothing, no log.. Could someone have changed a path on you?

I have a weird condition going on in which Bro stops loging after the filesize of http hits 100 odd kb it just started happening the other morning (5am)

-rw-r--r-- 1 root root  107K Aug  5 00:00 http.23:00:00-00:00:00.log.gz
-rw-r--r-- 1 root root  107K Aug  4 23:00 http.22:00:00-23:00:00.log.gz
-rw-r--r-- 1 root root  107K Aug  4 22:00 http.21:00:00-22:00:00.log.gz
-rw-r--r-- 1 root root  106K Aug  4 21:00 http.20:00:00-21:00:00.log.gz
-rw-r--r-- 1 root root  107K Aug  4 20:00 http.19:00:00-20:00:00.log.gz
-rw-r--r-- 1 root root  107K Aug  4 19:00 http.18:00:00-19:00:00.log.gz
-rw-r--r-- 1 root root  108K Aug  4 18:00 http.17:00:00-18:00:00.log.gz
-rw-r--r-- 1 root root  108K Aug  4 17:00 http.16:00:00-17:00:00.log.gz
-rw-r--r-- 1 root root  107K Aug  4 16:00 http.15:00:00-16:00:00.log.gz
-rw-r--r-- 1 root root  107K Aug  4 15:00 http.14:00:00-15:00:00.log.gz
-rw-r--r-- 1 root root  106K Aug  4 14:00 http.13:00:00-14:00:00.log.gz
-rw-r--r-- 1 root root  106K Aug  4 13:00 http.12:00:00-13:00:00.log.gz
-rw-r--r-- 1 root root  107K Aug  4 12:00 http.11:00:00-12:00:00.log.gz
-rw-r--r-- 1 root root  109K Aug  4 11:00 http.10:00:00-11:00:00.log.gz
-rw-r--r-- 1 root root  110K Aug  4 10:00 http.09:00:00-10:00:00.log.gz
-rw-r--r-- 1 root root  110K Aug  4 09:00 http.08:00:00-09:00:00.log.gz
-rw-r--r-- 1 root root  112K Aug  4 08:00 http.07:00:00-08:00:00.log.gz
-rw-r--r-- 1 root root  110K Aug  4 07:00 http.06:00:00-07:00:00.log.gz
-rw-r--r-- 1 root root  476K Aug  4 06:00 http.05:00:00-06:00:00.log.gz
-rw-r--r-- 1 root root   30M Aug  4 05:00 http.04:00:00-05:00:00.log.gz
-rw-r--r-- 1 root root   34M Aug  4 04:00 http.03:00:00-04:00:00.log.gz
-rw-r--r-- 1 root root   34M Aug  4 03:00 http.02:00:00-03:00:00.log.gz
-rw-r--r-- 1 root root   40M Aug  4 02:00 http.01:00:00-02:00:00.log.gz
-rw-r--r-- 1 root root   45M Aug  4 01:00 http.00:00:00-01:00:00.log.gz

Has anyone else encountered this before? I have 3 workers as I load balance the traffic going to my server.
