[Bro-Dev] broctl process tracking problems

Aashish Sharma asharma at lbl.gov
Fri Feb 17 11:02:23 PST 2012 

> > I had the same issue a time or two.  Running 'broctl ps.bro' right after 'broctl status' has become part of my new ritual before stopping/starting or just restarting any of my clusters.

Yes, but there could be other situations you can probably look for when
the bro process is running:

- Your network interfaces may not see the data
- Another possibility is that data is coming on the interfaces and bro
  is running but not processing the incoming data (hopefully won't happen)

so you might want to also check if the logs are growing regularly. 

Additional complexities: 

Your logs may be growing but above situation happens only on 1
worker-node ( in which case you'd see manager logs growing but won't
know that one node is consistently missing logs) 

.... and so on for various other failures (I must say these are rare but
on a production system you have to account for them and over period of
time this has happened)

We have a cron script which watches for these conditions. 

Aashish 



On Fri, Feb 17, 2012 at 01:53:41PM -0500, Seth Hall wrote:
> 
> On Feb 17, 2012, at 1:23 PM, Will wrote:
> 
> > I had the same issue a time or two.  Running 'broctl ps.bro' right after 'broctl status' has become part of my new ritual before stopping/starting or just restarting any of my clusters.
> 
> That's actually perfect!  Sometime could you make a copy of your spool/broctl.dat before you restart?
> 
> I'd like two copies of that file.  One before a restart and one after the restart (assuming the restart fails).  It could point out if there is corruption entering the broctl.dat file at some point.  This problem drives me crazy and I'd love to fix it.
> 
>   .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
> 

-- 
Aashish Sharma	(asharma at lbl.gov) 				 
Cyber Security, Information Technology Division  
Lawrence Berkeley National Laboratory  
http://www.lbl.gov/cyber/pgp-aashish.txt 
Office: (510)-495-2680  Cell: (510)-457-1525
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20120217/1681b324/attachment-0001.bin

More information about the bro-dev mailing list