[Bro] broctl cron running, but some scheduled tasks seem to be failing?

Gary Faulkner gary at doit.wisc.edu
Thu Dec 19 07:35:39 PST 2013


Thanks for clearing that up. It helps to be looking in the right place 
:-) Only using about 11% of the disk space on the manager node and only 
1% on the worker node. I don't see any archive-log processes running, 
but I've believe I've seen them in the process list after stopping my 
bro instance, so I think I have an idea what I'd see if they were running.

Gary Faulkner
UW Madison
Office of Campus Information Security
608-262-8591

On 12/19/2013 8:26 AM, Daniel Thayer wrote:
> On 12/18/2013 11:31 PM, Gary Faulkner wrote:
>> I'm trying to troubleshoot some odd behavior. I stopped receiving hourly
>> email summaries and logs stopped being moved and compressed at some
>> point this afternoon; although new logs are still being started hourly
>> and the old log being renamed.
>>
>> As far as I can tell from the cron log the broctl cron job is running as
>> scheduled. I tried running broctl cron manually, but no dice. It didn't
>> see any hung processes from earlier cron jobs or any emails in the bro
>> user's mailbox indicating something went awry. Does broctl cron produce
>> any log output if it has trouble?
>>
>
> Actually, broctl cron doesn't do log rotation or hourly email summaries.
> In fact, those happen even if broctl isn't running at all.  When it's
> time to do a log rotation, Bro itself (on the manager host) executes
> a script
>   <prefix>/share/broctl/scripts/archive-log
> and that script then executes a script
> <prefix>/share/broctl/scripts/postprocessors/summarize-connections
> that generates and emails the connection summary report.
>
> So, I'd suggest making sure those scripts exist on your manager host,
> check if you see any "archive-log" processes running in the background,
> and then check if you're running out of disk space.
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6257 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131219/87b63a02/attachment.bin 


More information about the Bro mailing list