[Bro] No log when bro script is run with broctl
tobias.brunnwieser at ppro.com
Tue Nov 28 00:47:15 PST 2017
On 28.11.2017 03:57, Johanna Amann wrote:
> This sounds a bit odd and I am not really sure what you are doing wrong.
> My first intuition would be to do a full stop of all nodes that broctl is
> running, and then do a deploy again just to make sure that the logger,
> manager, and worker nodes are really all running the same scripts.
I did that several times, that was not the issue.
> It also is always worthwhile to check reporter.log for script error
> messages that creep up.
This was a good hint: it reported checksum errors. Since I explicitly
disabled checksums on the command line with -C, I added ignore_checksums
in bro.local and it worked. Probably I missed just the ssl_established
event that triggers the log write. This is weird, since the default SSL
analyzer makes use of it, too, and its log got written...
Thanks for your help!
More information about the Bro