[Bro] No log when bro script is run with broctl

Johanna Amann johanna at icir.org
Mon Nov 27 18:57:21 PST 2017


On Mon, Nov 27, 2017 at 07:24:23PM +0100, Tobias Brunnwieser wrote:
> Hi all,
> I have a simple Bro script that records SSL-related info to a own log.
> The log is created with Log::create_stream, as described on this page:
> https://www.bro.org/sphinx/frameworks/logging.html.
> When running Bro directly from command line with:
> bro -C -b -i eth0 script.bro
> The expected log file is written in the directory in which Bro is run
> (together with some logs that are produced automatically, like ssl.log).
> But when I try to do the same through a broctl setup, I dont get a log
> any more. Here's my configuration:
> 	- modified sites/local.bro to include only my script
> 	- broctl config files are otherwise only slightly modified, using the
> standard setup of a single, local node
> 	- used broctl for deploying and starting node
> It seems that the script is properly deployed to the node, at least the
> diag command from broctl shows that the script got loaded (from the
> spooling location). But I do not get the log that the script is supposed
> to produce. All other logs (like ssl.log) are created ordinarily and are
> found in the expected location.
> My question is: do I miss something, is there a difference between the
> scripts shipped with Bro and my deployed script that prevents it from
> writing logs? Or is this most likely a bug?

This sounds a bit odd and I am not really sure what you are doing wrong.
My first intuition would be to do a full stop of all nodes that broctl is
running, and then do a deploy again just to make sure that the logger,
manager, and worker nodes are really all running the same scripts.

Apart from that, to answer your question - the scripts that are shipped
with Bro are not handled differently from scripts that you write. They use
the exact same mechanics to create log files - so if it works for them it
should work for you.

It also is always worthwhile to check reporter.log for script error
messages that creep up.

> Another question: what are the prerequisites of broctl? Apparently you
> can build it without Broker and Broccoli, but then some commands from
> broctl do not work.

Other people are probably more qualified to answer this question - but
currently Bro is typically built without broker support (one has to
specifically enable it) and with broccoli support. Without broccoli you
miss some features like being able to directly access the value of
variables; however the base functionality should still work.

I hope this helps,

