[Bro] LogExpireInterval not respected?

Jesse Bowling jessebowling at gmail.com
Wed Feb 13 07:33:34 PST 2013 

Turned debug on, install && check'ed everything, ensured 'broctl cron' is
in cron, ensured two jobs not running, but still my logs don't expire...

More hints anyone?

Cheers,

Jesse

On Tue, Feb 12, 2013 at 5:27 PM, Daniel Thayer <dnthayer at illinois.edu>wrote:

> Have you tried looking at the <install_prefix>/spool/debug.**log file?
> If that file doesn't exist, then uncomment the "Debug = 1" line
> in your broctl.cfg file.
>
>
>
>
> On 02/12/2013 11:18 AM, Jesse Bowling wrote:
>
>> Thanks again Tyler.
>>
>> Unfortunately, that was not the case here (although I have observed the
>> same previously). Disabling the cron job and running it manually with
>> strace, we end up hanging after a few minutes:
>>
>> read(8, "W", 1)                         = 1
>> read(8, "r", 1)                         = 1
>> read(8, "i", 1)                         = 1
>> read(8, "t", 1)                         = 1
>> read(8, "e", 1)                         = 1
>> read(8, " ", 1)                         = 1
>> read(8, "p", 1)                         = 1
>> read(8, "a", 1)                         = 1
>> read(8, "c", 1)                         = 1
>> read(8, "k", 1)                         = 1
>> read(8, "e", 1)                         = 1
>> read(8, "t", 1)                         = 1
>> read(8, "s", 1)                         = 1
>> read(8, " ", 1)                         = 1
>> read(8, "t", 1)                         = 1
>> read(8, "o", 1)                         = 1
>> read(8, " ", 1)                         = 1
>> read(8, "f", 1)                         = 1
>> read(8, "i", 1)                         = 1
>> read(8, "l", 1)                         = 1
>> read(8, "e", 1)                         = 1
>> read(8, "\n", 1)                        = 1
>> wait4(44650, 0x7fffb630f2e4, WNOHANG, NULL) = 0
>> read(8, "\n", 1)                        = 1
>> wait4(44650, 0x7fffb630f2e4, WNOHANG, NULL) = 0
>> read(8, "~", 1)                         = 1
>> read(8, "~", 1)                         = 1
>> read(8, "~", 1)                         = 1
>> read(8, "\n", 1)                        = 1
>> wait4(44707, 0x7fffb630f2e4, WNOHANG, NULL) = 0
>> read(32, "0", 1)                        = 1
>> read(32, "\n", 1)                       = 1
>> wait4(44707, 0x7fffb630f2e4, WNOHANG, NULL) = 0
>> read(32,
>>
>> Any other hints?
>>
>> Cheers,
>>
>> Jesse
>>
>>
>> On Tue, Feb 12, 2013 at 9:55 AM, Tyler T. Schoenke
>> <tyler.schoenke at colorado.edu <mailto:tyler.schoenke@**colorado.edu<tyler.schoenke at colorado.edu>>>
>> wrote:
>>
>>     broctl cron typically doesn't give output.  If it is hanging, you
>>     should check for other instances of broctl cron running and kill
>>     them.   They will sometimes log jam.  I haven't figured out why that
>>     happens.
>>
>>     Tyler
>>
>>     --
>>     Tyler Schoenke
>>     Network Security Program Manager
>>     IT Security Office
>>     University of Colorado at Boulder
>>
>>
>>     On 2/11/13 9:40 PM, Jesse Bowling wrote:
>>
>>>     Hi Tyler,
>>>
>>>     Thanks for the response.
>>>
>>>     Yes, I have ensured that these have been run...I've also tried
>>>     just running 'broctl cron' manually, but I get no output and it
>>>     never seems to quit (or at least, outlasts my patience)...Any
>>>     other hints?
>>>
>>>     Cheers,
>>>
>>>     Jesse
>>>
>>>     On Mon, Feb 11, 2013 at 4:34 PM, Tyler T. Schoenke
>>>     <tyler.schoenke at colorado.edu <mailto:tyler.schoenke@**colorado.edu<tyler.schoenke at colorado.edu>
>>> >>
>>>
>>>     wrote:
>>>
>>>         Have you run broctl install && broctl check?    I always
>>>         forget to do
>>>         that after modifying LogExpireInterval.
>>>
>>>         Tyler
>>>
>>>         --
>>>         Tyler Schoenke
>>>         Network Security Program Manager
>>>         IT Security Office
>>>         University of Colorado at Boulder
>>>
>>>
>>>         On 2/11/13 1:57 PM, Jesse Bowling wrote:
>>>         > Hi,
>>>         >
>>>         > In my /usr/local/bro/etc/broctl.cfg I've specified:
>>>         >
>>>         > LogExpireInterval = 14
>>>         >
>>>         > Additionally in /etc/cron.d/bro I've specified:
>>>         >
>>>         > 0-59/5 * * * * /usr/local/bro/bin/broctl cron
>>>         >
>>>         > However I've found that I have more daily directories
>>>         present that 14
>>>         > days...What configuration options should I be checking to
>>>         troubleshoot
>>>         > this problem?
>>>         >
>>>         > Thanks,
>>>         >
>>>         > Jesse
>>>         >
>>>         > --
>>>         > Jesse Bowling
>>>         >
>>>
>>>
>>>
>>>
>>>     --
>>>     Jesse Bowling
>>>
>>>
>>
>>
>> --
>> Jesse Bowling
>>
>>
>>
>> ______________________________**_________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.**EDU/mailman/listinfo/bro<http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro>
>>
>>
>


-- 
Jesse Bowling
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130213/86d2b343/attachment.html

More information about the Bro mailing list