[Bro] Take action on a notice?
Justin Azoff
JAzoff at albany.edu
Tue Apr 16 06:49:43 PDT 2013
On Tue, Apr 16, 2013 at 09:37:06AM -0400, Jesse Bowling wrote:
> I'm regularly seeing PacketFilter::Dropped_Packets notices in my logs, which I
> believe are related to an issue with the version of PF_RING that I'm using. I'm
> in the midst of getting it upgraded, but in the meantime I'd love to be able to
> take an automated action on these notices (i.e., automatically restart the
> worker process that's dropping packets).
>
> I know all the parts for doing this are in the archives somewhere, but would
> someone mind giving me at least the high-level steps? My brogramming is nascent
> at best...
I use this, but it is for restarting workers that have completely
stopped processing packets:
*/5 * * * * root sleep 5 ; grep -s -P "\t0\t0\t0" /usr/local/bro/logs/current/capture_loss.log && restart_bro
restart_bro is just a script that uses broctl to restart bro and sends
notifications.
--
-- Justin Azoff
-- Network Security & Performance Analyst
More information about the Bro
mailing list