[Bro-Dev] [JIRA] (BIT-1180) Input framework subsiquient REREAD fails after file update

Justin Azoff (JIRA) jira at bro-tracker.atlassian.net
Thu Aug 7 15:32:07 PDT 2014


    [ https://bro-tracker.atlassian.net/browse/BIT-1180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17408#comment-17408 ] 

Justin Azoff commented on BIT-1180:
-----------------------------------

One potential cause of this issue is not atomically changing the input file.  Basically, if you are doing something like this:

{code}
fetch_data > file.csv
{code}

You should instead do:

{code}
fetch_data > file.csv.new && mv file.csv.new file.csv
{code}

> Input framework subsiquient REREAD fails after file update 
> -----------------------------------------------------------
>
>                 Key: BIT-1180
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1180
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.2
>            Reporter: Aashish Sharma
>            Assignee: Johanna Amann
>            Priority: High
>              Labels: input-framework
>             Fix For: 2.4
>
>
> I have a file that gets updated every hour and I am using it as a feed into bro using input framework. Every hour I write a list of IP addresses into this file. For many updates everything works fine but Occasionally,  I see the following error:
> Apr  6 05:00:09 Reporter::ERROR /feeds/Blacklist/CURRENT.24hrs_BRO/Input::READER_ASCII: could not read first line        (empty)
> After this failure/message,  any subsequent updates on the file are ignored by the input framework. 
> From visual inspection the file looks just fine and header/data (1 column of IP addresses) is there as expected but somehow input framework doesn't like it. It seems that every hour when update the file using a cron script, on a rare occasion the  file is empty for a minuscule duration after which this error starts. 
> for further REREADS data won't get updated into the tables anymore once the above Reporter::ERROR kicks in. 
> Please let me know if you need ways to reproduce this error condition or have more questions for me. 



--
This message was sent by Atlassian JIRA
(v6.4-OD-02-003#64000)


More information about the bro-dev mailing list