[Bro-Dev] bro manager stops writing logs - EINTR issue ?

barak gilboa barak.work.email at gmail.com
Sun Jan 17 00:58:06 PST 2016

I would appreciate anyone's help on the following issue :

setup: 24 workers,1 proxy, 1 manager. each worker has a bloomfilter of its
own so eventually very few events are passed on to the manager for writing.
there is only 1 log file being written (dns.log) which fills at a rate of
about 10k lines per sec.

problem: after a few hours, manager stops writing the log file though
everything is still running. no errors on debug.log or stderr.log.
I ran strace and found that the manager's child process has *EINTR* issue:

ERESTARTNOHAND to be restarted if no handler
SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL}
rt_sigreturn()=-1 EINTR (interrupted system call)

I read that bro should handle EINTR errors internally.
any suggestions on what can be done ?

thanks !
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160117/1febf31a/attachment.html 

More information about the bro-dev mailing list