[Bro] Bro crashed this morning..
Azoff, Justin S
jazoff at illinois.edu
Mon Oct 24 11:58:22 PDT 2016
> On Oct 24, 2016, at 2:48 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
> I have two crons currently in bro's crontab:
> $ crontab -l
> 0-59/5 * * * * /usr/local/bro/default/bin/broctl cron
> 55 6 * * * /usr/local/bro/bin/restart-bro
> restart-bro is a small script that looks like this:
> /usr/local/bro/default/bin/broctl install
> /usr/local/bro/default/bin/broctl restart
> The reason, I think, for having bro restart every morning at 6:55 is we pull down the intel feeds every morning at 6:45
> that updates the files that bro monitors as input feeds for intel framework.
> And I thought that Bro would not pick up new/updated input feeds unless restarted.
> Is that would be something causing bro to not restart?
You shouldn't have to restart bro for it to pull in updates from intel files.
It's suspicious that you say bro crashed at 7am and that cron job runs at 6:55.
It's possible that something went wrong during the restart and bro just ended up stopped. I could see 'broctl restart' leaving the cluster in an inconsistent state if it gets interrupted.
I'd just remove that job (since intel files should auto update on their own) or try changing the time it runs at to 6:57, which should at least avoid it running at the same time as cron.
- Justin Azoff
More information about the Bro