[Bro-Dev] #970: broctl stop/restart eating logs? (was: broctl restart eating logs?)

Bro Tracker bro at tracker.bro.org
Wed Mar 20 12:41:13 PDT 2013


#970: broctl stop/restart eating logs?
-----------------------------+------------------------
  Reporter:  robin           |      Owner:
      Type:  Problem         |     Status:  new
  Priority:  High            |  Milestone:  Bro2.2
 Component:  Bro             |    Version:  git/master
Resolution:  Solved/Applied  |   Keywords:
-----------------------------+------------------------

Comment (by dnthayer):

 I've identified a race condition in the "stop" command
 that can cause log files to be deleted before they
 are archived.

 When a "broctl stop" is issued, before bro terminates it
 will first run the archive-log script in the background (i.e.,
 bro does not wait for it to finish) for each log. Then,
 when broctl is satisfied that bro has terminated successfully,
 it runs the post-terminate script. The post-terminate script
 moves the "spool/<node>" directory into tmp, creates a new
 "spool/<node>" directory, and then deletes the one that was
 moved into tmp. At that point, if there are still any
 archive-log processes running in the background, they
 likely won't be able to archive their log file because
 the file has already been deleted by the post-terminate
 script.

 I've been able to reproduce this problem only for the conn.log
 (the problem is much more likely for conn.log because the
 connection summary processing takes considerably more time
 to finish than anything else that archive-log does).

-- 
Ticket URL: <http://tracker.bro.org/bro/ticket/970#comment:2>
Bro Tracker <http://tracker.bro.org/bro>
Bro Issue Tracker



More information about the bro-dev mailing list