[Bro] log streams in a bro cluster
Luis Martin Liras
martin.liras at gmail.com
Wed Jun 8 06:19:39 PDT 2016
Thank you for your reply Justin.
You are right, probably I didn't explain myself. There's data to be
logged but the log file is not created.
Actually, if I set:
redef Log::enable_local_logging = T;
...and deploy again, I can see the mentioned log file in the worker node
(stored in /home/bro/bro/spool/worker-1/warnings.log), but this log file
is NOT created in the manager.
I expected all the logs from the worker nodes to be copied somehow to
manager, but it does not seem to work like that.
On 08/06/16 14:36, Azoff, Justin S wrote:
>> On Jun 8, 2016, at 4:43 AM, Luis Martin Liras <martin.liras at gmail.com> wrote:
>> Hi all,
>> I need some help with the logs generated by a Bro Cluster:
>> I have 5 bro scripts that run in all workers of my cluster
>> infrastructure. All of them work OK, sending notices to the manager and
>> all the staff, but one of them should create a LOG stream (warnings.log)
>> that I can't find anywhere:
>> Log::create_stream(umas::WARN, [$columns=warn_info,$path="warnings"]);
>> If I run my script in a single bro installation, all logs and notices
>> seem to work, but I need it working in a cluster infrastructure.
>> I expected this Log stream to be sent to the 'logs' directory in the
>> manager, but that log file is not there. Only standard log files
>> (dns.log, http.log, stdout.log, etc) are copied to the 'logs' directory.
>> This warnings.log file do not appear either anywhere in the worker, and
>> not error log file is shown, so... I'm lost.
>> I anyone can shed some light into this, I would appreciate it.
> When are you writing to that log? Just creating the log stream doesn't create the file until you do a
> Log::write(umas::WARN, record);
>> The other problem I have is the following: My script should open a
>> config file. In a single machine infrastructure this config file is in
>> the same directory of the scripts, and everything work fine. The file is
>> opened and read. However in a cluster infrastructure the file is not
>> opened in the workers. I find that the file is copied by broctl to the
>> worker BUT it is not read when the bro script is running. Anyone can
>> tell me what I'm doing wrong or where should I locate that file in the
>> Thank you for any help!!
> How are you loading the configuration file?
> You should be using something like
> local config_path = fmt("%s/my-config.something", @DIR);
> otherwise a relative or absolute path may not be what you expect.
More information about the Bro