[Bro-Dev] broctl process tracking problems

Aashish Sharma asharma at lbl.gov
Fri Feb 17 10:08:07 PST 2012


Yes. Incidently, I had same issue 3 days back. broctl analysis scan
showed scan was disabled but cluster was still dropping host on scan. 

So I started looking at broctl status which said cluster not running
while tail -f conn.log was growing. 

Ended up kill -s 9 on all bro worker nodes and restart with broctl.
After which it has been fine. I was quite unusual. 

Aashish 

On Fri, Feb 17, 2012 at 12:00:28PM -0500, Seth Hall wrote:
> Has anyone else ever had trouble with broctl getting confused about the status of a process?  I just ran into it a little bit ago where broctl thought that all of my workers were dead when I tried to do a restart command.  They failed when they were trying to start again because with the myricom sniffer drivers you can only sniff the interface once.
> 
> We need to do some debugging on this, but it happens sporadically enough that it might be tough.  I sort of wonder if there are issues with broctl.dat being written, I've run into problems in that file before where things wouldn't be written right.  Would it make sense to maybe even move away from broctl.dat (which tracks cluster state) and toward something like an SQLite database?
> 
>   .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
> 
> 
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

-- 
Aashish Sharma	(asharma at lbl.gov) 				 
Cyber Security, Information Technology Division  
Lawrence Berkeley National Laboratory  
http://www.lbl.gov/cyber/pgp-aashish.txt 
Office: (510)-495-2680  Cell: (510)-457-1525
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20120217/1712c78a/attachment.bin 


More information about the bro-dev mailing list