[Bro-Dev] #160: Output totaled information with the capstats command
Bro Tracker
bro-dev at bro-ids.org
Mon Oct 18 17:54:25 PDT 2010
#160: Output totaled information with the capstats command
------------------------------+---------------------------------------------
Reporter: seth | Owner: robin
Type: Feature Request | Status: closed
Priority: Low | Component: BroControl
Version: 1.5.2-devel (svn) | Resolution: fixed
Keywords: |
------------------------------+---------------------------------------------
Comment(by robin):
(In [7098]) - A larger BroControl update:
o Increasing default timeouts for scan detector significantly.
o Increasing the manager's max_remote_events_processed to
something large, as it would slow down the process too much
otherwise and there's no other work to be interleaved with it
anyway.
o Adding debug output to cluster's part of catch-and-release
(extends the debugging already present in policy/debug.bro)
o Fixing typo in util.py. Closes #223.
o Added note to README pointing to HTML version.
o Disabling print_hook for proxies' remote.log.
o broctl's capstats now reports a total as well, and stats.log
tracks these totals. Closes #160.
o Avoiding spurious "waiting for lock" messages in cron mode.
Closes #206.
o Bug fixes for installation on NFS.
o Bug fix for top command on FreeBSD 8.
o crash-diag now checks whether gdb is available.
o trace-summary reports the sample factor in use in its output,
and now also applies it to the top-local-networks output (not
doing the latter was a bug).
o Removed the default twice-a-day rotation for conn.log. The
default rotation for conn.log now is now once every 24h, just
like for all other logs with the exception of mail.log (which is
still rotated twice a day, and thus the alarms are still mailed
out twice a day).
o Fixed the problem of logs sometimes being filed into the wrong
directory (see the (now gone) FAQ entry in the README).
o One can now customize the archive naming scheme. See the
corresponding FAQ entry in the README.
o Cleaned up, and extended, collection of cluster statistics.
${logdir}/stats now looks like this:
drwxr-xr-x 4 bro wheel 59392 Apr 5 17:55 .
drwxr-xr-x 96 bro wheel 2560 Apr 6 12:00 ..
-rw-r--r-- 1 bro wheel 576 Apr 6 16:40 meta.dat
drwxr-xr-x 2 bro wheel 2048 Apr 6 16:40 profiling
-rw-r--r-- 1 bro wheel 771834825 Apr 6 16:40 stats.log
drwxr-xr-x 2 bro wheel 2048 Apr 6 16:25 www
stats.log accumulates cluster statistics collected every time
"cron" is called.
- profiling/ keeps the nodes' prof.logs.
- www/ keeps a subset of stats.log in CSV format for easy plotting.
- meta.dat contains meta information about the current cluster
state (in particular which nodes we have, and when the last
stats update was done).
Note that there is not Web setup yet to actually plot the data
in www/.
o BroControl now automatically maintains links inside today's log
archive directory pointing to the current live version of the
corresponding log file (if Bro is running). For example:
smtp.log.11:52:18-current -> /usr/local/cluster/spool/manager/smtp.log
o Alarms mailed out by BroControl now (1) have the notice msg in the
subject; and (2) come with the full mail.log entry in the body.
--
Ticket URL: <http://tracker.icir.org/bro/ticket/160#comment:4>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list