[Bro] LogExpireInterval not respected?
Daniel Thayer
dnthayer at illinois.edu
Tue Feb 12 14:27:18 PST 2013
Have you tried looking at the <install_prefix>/spool/debug.log file?
If that file doesn't exist, then uncomment the "Debug = 1" line
in your broctl.cfg file.
On 02/12/2013 11:18 AM, Jesse Bowling wrote:
> Thanks again Tyler.
>
> Unfortunately, that was not the case here (although I have observed the
> same previously). Disabling the cron job and running it manually with
> strace, we end up hanging after a few minutes:
>
> read(8, "W", 1) = 1
> read(8, "r", 1) = 1
> read(8, "i", 1) = 1
> read(8, "t", 1) = 1
> read(8, "e", 1) = 1
> read(8, " ", 1) = 1
> read(8, "p", 1) = 1
> read(8, "a", 1) = 1
> read(8, "c", 1) = 1
> read(8, "k", 1) = 1
> read(8, "e", 1) = 1
> read(8, "t", 1) = 1
> read(8, "s", 1) = 1
> read(8, " ", 1) = 1
> read(8, "t", 1) = 1
> read(8, "o", 1) = 1
> read(8, " ", 1) = 1
> read(8, "f", 1) = 1
> read(8, "i", 1) = 1
> read(8, "l", 1) = 1
> read(8, "e", 1) = 1
> read(8, "\n", 1) = 1
> wait4(44650, 0x7fffb630f2e4, WNOHANG, NULL) = 0
> read(8, "\n", 1) = 1
> wait4(44650, 0x7fffb630f2e4, WNOHANG, NULL) = 0
> read(8, "~", 1) = 1
> read(8, "~", 1) = 1
> read(8, "~", 1) = 1
> read(8, "\n", 1) = 1
> wait4(44707, 0x7fffb630f2e4, WNOHANG, NULL) = 0
> read(32, "0", 1) = 1
> read(32, "\n", 1) = 1
> wait4(44707, 0x7fffb630f2e4, WNOHANG, NULL) = 0
> read(32,
>
> Any other hints?
>
> Cheers,
>
> Jesse
>
>
> On Tue, Feb 12, 2013 at 9:55 AM, Tyler T. Schoenke
> <tyler.schoenke at colorado.edu <mailto:tyler.schoenke at colorado.edu>> wrote:
>
> broctl cron typically doesn't give output. If it is hanging, you
> should check for other instances of broctl cron running and kill
> them. They will sometimes log jam. I haven't figured out why that
> happens.
>
> Tyler
>
> --
> Tyler Schoenke
> Network Security Program Manager
> IT Security Office
> University of Colorado at Boulder
>
>
> On 2/11/13 9:40 PM, Jesse Bowling wrote:
>> Hi Tyler,
>>
>> Thanks for the response.
>>
>> Yes, I have ensured that these have been run...I've also tried
>> just running 'broctl cron' manually, but I get no output and it
>> never seems to quit (or at least, outlasts my patience)...Any
>> other hints?
>>
>> Cheers,
>>
>> Jesse
>>
>> On Mon, Feb 11, 2013 at 4:34 PM, Tyler T. Schoenke
>> <tyler.schoenke at colorado.edu <mailto:tyler.schoenke at colorado.edu>>
>> wrote:
>>
>> Have you run broctl install && broctl check? I always
>> forget to do
>> that after modifying LogExpireInterval.
>>
>> Tyler
>>
>> --
>> Tyler Schoenke
>> Network Security Program Manager
>> IT Security Office
>> University of Colorado at Boulder
>>
>>
>> On 2/11/13 1:57 PM, Jesse Bowling wrote:
>> > Hi,
>> >
>> > In my /usr/local/bro/etc/broctl.cfg I've specified:
>> >
>> > LogExpireInterval = 14
>> >
>> > Additionally in /etc/cron.d/bro I've specified:
>> >
>> > 0-59/5 * * * * /usr/local/bro/bin/broctl cron
>> >
>> > However I've found that I have more daily directories
>> present that 14
>> > days...What configuration options should I be checking to
>> troubleshoot
>> > this problem?
>> >
>> > Thanks,
>> >
>> > Jesse
>> >
>> > --
>> > Jesse Bowling
>> >
>>
>>
>>
>>
>> --
>> Jesse Bowling
>>
>
>
>
> --
> Jesse Bowling
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list