[Bro-Dev] [archive log failure]

Daniel Thayer dnthayer at illinois.edu
Mon Oct 3 13:45:54 PDT 2016 

Your make-archive-name script works for me.

The next thing to check is your copy of
the <PREFIX>/share/broctl/scripts/archive-log and
the <PREFIX>/share/broctl/scripts/post-terminate script.
Check if you made any changes to those scripts (a bug in
those scripts could potentially run make-archive-name with
invalid parameters).


On 10/3/16 3:18 PM, Aashish Sharma wrote:
> HI Daniel,
>
>> As for the strange directory names, one possible reason could be your
>> make-archive-name script is producing bad output.
>
> make-archive-name script does correctly archive the logs to 2016-10-03 folder.
>
> This is the contect of the script:
>
> $ cat make-archive-name
>
> name=$1
> flavor=$2
> opened=$3
> closed=$4
> host=`hostname -s`
>
> day=`echo $opened  | awk -F - '{printf "%s-%s-%s", $1, $2, $3}'`
> from=`echo $opened | awk -F - '{printf "%s:%s:%s", $4, $5, $6}'`
> to=`echo $closed | awk -F - '{printf "%s:%s:%s", $4, $5, $6}'`
>
> if [ "$closed" != "" ]; then
>    echo $day/$name.$host.$day-$from-$to
> else
>    echo $day/$name.$host.$day-$from-current
> fi
>
> ===
>
> Hereis output of  20rk-5-8 directory for example:
>
> ~/logs/20rk-5-8]$ ls -altrh
> total 40
> -rw-r--r--    1 bro  bro    20B Sep 28 17:39 drop-debug.log.cluster.20rk-5-8-::-17:39:24.gz
> -rw-r--r--    1 bro  bro    20B Oct  3 09:40 drop-debug.log.cluster.20rk-5-8-::-09:40:35.gz
> drwxr-xr-x  196 bro  bro   6.0k Oct  3 11:54 ..
> drwxr-xr-x    2 bro  bro   512B Oct  3 11:54 .
> -rw-r--r--    1 bro  bro    20B Oct  3 11:54 drop-debug.log.cluster.20rk-5-8-::-11:54:38.gz
>
>
> Since make-archive-name does archive logs as expected not sure how to address 20rk-5-8 issue. secondly, why would these directories be in ~/logs instead of ../spool/tmp ?
>
>
> Aashish
>
> On Mon, Oct 03, 2016 at 03:02:14PM -0500, Daniel Thayer wrote:
>> Those archive log failure emails are a new feature in version 2.5.
>> The only purpose of the emails is to make it easier to notice when
>> such an error occurs (i.e., these emails do not indicate a new type
>> of error condition).
>> Previously, if such a failure occurred, the only way you would know
>> is if you noticed missing logs in one of the subdirectories of
>> the <PREFIX>/logs/ directory, or if you noticed the presence of
>> a new spool/tmp/post-terminate-* directory.
>>
>> As for the strange directory names, one possible reason could be your
>> make-archive-name script is producing bad output.
>>
>>
>>
>> On 10/3/16 2:11 PM, Aashish Sharma wrote:
>>> I see notifications as following:
>>>
>>> ----- Forwarded message from Xxxxxxx  -----
>>>
>>> Date: Mon, 3 Oct 2016 11:54:39 -0700 (PDT)
>>> From:
>>> To:
>>> Subject: [bro-cluster] archive log failure
>>>
>>> Unable to archive one or more logs in directory:
>>> /usr/local/bro/spool/tmp/post-terminate-worker-2016-10-03-09-40-35-36665
>>> Check the post-terminate.out file in that directory for any error messages.
>>>

More information about the bro-dev mailing list