[Bro] LogExpireInterval not respected?

Jesse Bowling jessebowling at gmail.com
Tue Feb 12 09:18:51 PST 2013 

Thanks again Tyler.

Unfortunately, that was not the case here (although I have observed the
same previously). Disabling the cron job and running it manually with
strace, we end up hanging after a few minutes:

read(8, "W", 1)                         = 1
read(8, "r", 1)                         = 1
read(8, "i", 1)                         = 1
read(8, "t", 1)                         = 1
read(8, "e", 1)                         = 1
read(8, " ", 1)                         = 1
read(8, "p", 1)                         = 1
read(8, "a", 1)                         = 1
read(8, "c", 1)                         = 1
read(8, "k", 1)                         = 1
read(8, "e", 1)                         = 1
read(8, "t", 1)                         = 1
read(8, "s", 1)                         = 1
read(8, " ", 1)                         = 1
read(8, "t", 1)                         = 1
read(8, "o", 1)                         = 1
read(8, " ", 1)                         = 1
read(8, "f", 1)                         = 1
read(8, "i", 1)                         = 1
read(8, "l", 1)                         = 1
read(8, "e", 1)                         = 1
read(8, "\n", 1)                        = 1
wait4(44650, 0x7fffb630f2e4, WNOHANG, NULL) = 0
read(8, "\n", 1)                        = 1
wait4(44650, 0x7fffb630f2e4, WNOHANG, NULL) = 0
read(8, "~", 1)                         = 1
read(8, "~", 1)                         = 1
read(8, "~", 1)                         = 1
read(8, "\n", 1)                        = 1
wait4(44707, 0x7fffb630f2e4, WNOHANG, NULL) = 0
read(32, "0", 1)                        = 1
read(32, "\n", 1)                       = 1
wait4(44707, 0x7fffb630f2e4, WNOHANG, NULL) = 0
read(32,

Any other hints?

Cheers,

Jesse


On Tue, Feb 12, 2013 at 9:55 AM, Tyler T. Schoenke <
tyler.schoenke at colorado.edu> wrote:

>  broctl cron typically doesn't give output.  If it is hanging, you should
> check for other instances of broctl cron running and kill them.   They will
> sometimes log jam.  I haven't figured out why that happens.
>
> Tyler
>
> --
> Tyler Schoenke
> Network Security Program Manager
> IT Security Office
> University of Colorado at Boulder
>
>
> On 2/11/13 9:40 PM, Jesse Bowling wrote:
>
> Hi Tyler,
>
> Thanks for the response.
>
> Yes, I have ensured that these have been run...I've also tried just
> running 'broctl cron' manually, but I get no output and it never seems to
> quit (or at least, outlasts my patience)...Any other hints?
>
> Cheers,
>
> Jesse
>
> On Mon, Feb 11, 2013 at 4:34 PM, Tyler T. Schoenke <
> tyler.schoenke at colorado.edu> wrote:
>
>> Have you run broctl install && broctl check?    I always forget to do
>> that after modifying LogExpireInterval.
>>
>> Tyler
>>
>> --
>> Tyler Schoenke
>> Network Security Program Manager
>> IT Security Office
>> University of Colorado at Boulder
>>
>>
>> On 2/11/13 1:57 PM, Jesse Bowling wrote:
>> > Hi,
>> >
>> > In my /usr/local/bro/etc/broctl.cfg I've specified:
>> >
>> > LogExpireInterval = 14
>> >
>> > Additionally in /etc/cron.d/bro I've specified:
>> >
>> > 0-59/5 * * * * /usr/local/bro/bin/broctl cron
>> >
>> > However I've found that I have more daily directories present that 14
>> > days...What configuration options should I be checking to troubleshoot
>> > this problem?
>> >
>> > Thanks,
>> >
>> > Jesse
>> >
>> > --
>> > Jesse Bowling
>> >
>>
>
>
>
> --
> Jesse Bowling
>
>


-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130212/1aea0404/attachment.html

More information about the Bro mailing list