[Bro] No log when bro script is run with broctl

Tobias Brunnwieser tobias.brunnwieser at ppro.com
Mon Nov 27 10:24:23 PST 2017

Hi all,

I have a simple Bro script that records SSL-related info to a own log.
The log is created with Log::create_stream, as described on this page:
When running Bro directly from command line with:

bro -C -b -i eth0 script.bro

The expected log file is written in the directory in which Bro is run
(together with some logs that are produced automatically, like ssl.log).
But when I try to do the same through a broctl setup, I dont get a log
any more. Here's my configuration:
	- modified sites/local.bro to include only my script
	- broctl config files are otherwise only slightly modified, using the
standard setup of a single, local node
	- used broctl for deploying and starting node
It seems that the script is properly deployed to the node, at least the
diag command from broctl shows that the script got loaded (from the
spooling location). But I do not get the log that the script is supposed
to produce. All other logs (like ssl.log) are created ordinarily and are
found in the expected location.
My question is: do I miss something, is there a difference between the
scripts shipped with Bro and my deployed script that prevents it from
writing logs? Or is this most likely a bug?

Another question: what are the prerequisites of broctl? Apparently you
can build it without Broker and Broccoli, but then some commands from
broctl do not work.

Any help is appreciated,


PS. I work with a slightly patched version of Bro, you'll find the patch
here: https://bro-tracker.atlassian.net/browse/BIT-1855. But it
shouldn't make a difference, it only adds an additional parameter to the
ssl_client_hello event. As explained previously, when running Bro from
command line, I do not have any issues, even with the patched version.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171127/b9c6d8dc/attachment-0001.bin 

More information about the Bro mailing list