[Bro] broctl cron running, but some scheduled tasks seem to be failing?
Daniel Thayer
dnthayer at illinois.edu
Thu Dec 19 06:26:06 PST 2013
On 12/18/2013 11:31 PM, Gary Faulkner wrote:
> I'm trying to troubleshoot some odd behavior. I stopped receiving hourly
> email summaries and logs stopped being moved and compressed at some
> point this afternoon; although new logs are still being started hourly
> and the old log being renamed.
>
> As far as I can tell from the cron log the broctl cron job is running as
> scheduled. I tried running broctl cron manually, but no dice. It didn't
> see any hung processes from earlier cron jobs or any emails in the bro
> user's mailbox indicating something went awry. Does broctl cron produce
> any log output if it has trouble?
>
Actually, broctl cron doesn't do log rotation or hourly email summaries.
In fact, those happen even if broctl isn't running at all. When it's
time to do a log rotation, Bro itself (on the manager host) executes
a script
<prefix>/share/broctl/scripts/archive-log
and that script then executes a script
<prefix>/share/broctl/scripts/postprocessors/summarize-connections
that generates and emails the connection summary report.
So, I'd suggest making sure those scripts exist on your manager host,
check if you see any "archive-log" processes running in the background,
and then check if you're running out of disk space.
More information about the Bro
mailing list