[Bro-Dev] [archive log failure]

Aashish Sharma asharma at lbl.gov
Mon Oct 3 13:18:37 PDT 2016 

HI Daniel, 

> As for the strange directory names, one possible reason could be your
> make-archive-name script is producing bad output.

make-archive-name script does correctly archive the logs to 2016-10-03 folder. 

This is the contect of the script:

$ cat make-archive-name 

name=$1
flavor=$2
opened=$3
closed=$4
host=`hostname -s`

day=`echo $opened  | awk -F - '{printf "%s-%s-%s", $1, $2, $3}'`
from=`echo $opened | awk -F - '{printf "%s:%s:%s", $4, $5, $6}'`
to=`echo $closed | awk -F - '{printf "%s:%s:%s", $4, $5, $6}'`

if [ "$closed" != "" ]; then
   echo $day/$name.$host.$day-$from-$to
else
   echo $day/$name.$host.$day-$from-current
fi

=== 

Hereis output of  20rk-5-8 directory for example: 

~/logs/20rk-5-8]$ ls -altrh
total 40
-rw-r--r--    1 bro  bro    20B Sep 28 17:39 drop-debug.log.cluster.20rk-5-8-::-17:39:24.gz
-rw-r--r--    1 bro  bro    20B Oct  3 09:40 drop-debug.log.cluster.20rk-5-8-::-09:40:35.gz
drwxr-xr-x  196 bro  bro   6.0k Oct  3 11:54 ..
drwxr-xr-x    2 bro  bro   512B Oct  3 11:54 .
-rw-r--r--    1 bro  bro    20B Oct  3 11:54 drop-debug.log.cluster.20rk-5-8-::-11:54:38.gz


Since make-archive-name does archive logs as expected not sure how to address 20rk-5-8 issue. secondly, why would these directories be in ~/logs instead of ../spool/tmp ? 


Aashish 

On Mon, Oct 03, 2016 at 03:02:14PM -0500, Daniel Thayer wrote:
> Those archive log failure emails are a new feature in version 2.5.
> The only purpose of the emails is to make it easier to notice when
> such an error occurs (i.e., these emails do not indicate a new type
> of error condition).
> Previously, if such a failure occurred, the only way you would know
> is if you noticed missing logs in one of the subdirectories of
> the <PREFIX>/logs/ directory, or if you noticed the presence of
> a new spool/tmp/post-terminate-* directory.
> 
> As for the strange directory names, one possible reason could be your
> make-archive-name script is producing bad output.
> 
> 
> 
> On 10/3/16 2:11 PM, Aashish Sharma wrote:
> >I see notifications as following:
> >
> >----- Forwarded message from Xxxxxxx  -----
> >
> >Date: Mon, 3 Oct 2016 11:54:39 -0700 (PDT)
> >From:
> >To:
> >Subject: [bro-cluster] archive log failure
> >
> >Unable to archive one or more logs in directory:
> >/usr/local/bro/spool/tmp/post-terminate-worker-2016-10-03-09-40-35-36665
> >Check the post-terminate.out file in that directory for any error messages.
> >

More information about the bro-dev mailing list