[Bro-Dev] [JIRA] (BIT-1180) Input framework subsiquient REREAD fails after file update

Aashish Sharma (JIRA) jira at bro-tracker.atlassian.net
Mon Mar 16 11:06:00 PDT 2015 

    [ https://bro-tracker.atlassian.net/browse/BIT-1180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19960#comment-19960 ] 

Aashish Sharma commented on BIT-1180:
-------------------------------------

> But generally, I think users of the input framework should be expected to atomically change input files

Very correct! The case where this atomicity fails is: there are cases where due to some bug in input-file creation script or corner case in input data (a new tab or some weird char, or format issue etc) cause read to fail. I'd like to go correct the input file but then (a) basically bro needs to be restarted, or (b) otherwise the read has failed and if I am unaware of this silent failure,  with impression that system is working as expected, while the blacklist IP's aren't getting dropped any more. 

Would be useful to attempt re-read after a duration or if another 'update/change' event kicks in on the input file. 




> Input framework subsiquient REREAD fails after file update 
> -----------------------------------------------------------
>
>                 Key: BIT-1180
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1180
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.2
>            Reporter: Aashish Sharma
>            Assignee: Johanna Amann
>              Labels: input-framework
>             Fix For: 2.5
>
>
> I have a file that gets updated every hour and I am using it as a feed into bro using input framework. Every hour I write a list of IP addresses into this file. For many updates everything works fine but Occasionally,  I see the following error:
> Apr  6 05:00:09 Reporter::ERROR /feeds/Blacklist/CURRENT.24hrs_BRO/Input::READER_ASCII: could not read first line        (empty)
> After this failure/message,  any subsequent updates on the file are ignored by the input framework. 
> From visual inspection the file looks just fine and header/data (1 column of IP addresses) is there as expected but somehow input framework doesn't like it. It seems that every hour when update the file using a cron script, on a rare occasion the  file is empty for a minuscule duration after which this error starts. 
> for further REREADS data won't get updated into the tables anymore once the above Reporter::ERROR kicks in. 
> Please let me know if you need ways to reproduce this error condition or have more questions for me. 



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)

More information about the bro-dev mailing list