[Bro] LogExpireInterval not respected?

Daniel Thayer dnthayer at illinois.edu
Wed Feb 13 08:55:14 PST 2013


When "broctl cron" runs, it will output a line (in debug.log)
that indicates it is starting, followed by a lot of output
showing its progress, and finally a line indicating it
is done. It looks something like this:

12 Feb 14:29:30 [command]  cron

<...lots of output here...>

12 Feb 14:30:37 [main]     cron done

If "broctl cron" is hanging, then it might be
useful to check the debug.log to see how far it
gets before it hangs.



On 02/13/2013 09:33 AM, Jesse Bowling wrote:
> Turned debug on, install && check'ed everything, ensured 'broctl cron'
> is in cron, ensured two jobs not running, but still my logs don't expire...
>
> More hints anyone?
>
> Cheers,
>
> Jesse
>
> On Tue, Feb 12, 2013 at 5:27 PM, Daniel Thayer <dnthayer at illinois.edu
> <mailto:dnthayer at illinois.edu>> wrote:
>
>     Have you tried looking at the <install_prefix>/spool/debug.__log file?
>     If that file doesn't exist, then uncomment the "Debug = 1" line
>     in your broctl.cfg file.
>
>
>
>
>     On 02/12/2013 11:18 AM, Jesse Bowling wrote:
>
>         Thanks again Tyler.
>
>         Unfortunately, that was not the case here (although I have
>         observed the
>         same previously). Disabling the cron job and running it manually
>         with
>         strace, we end up hanging after a few minutes:
>
>         read(8, "W", 1)                         = 1
>         read(8, "r", 1)                         = 1
>         read(8, "i", 1)                         = 1
>         read(8, "t", 1)                         = 1
>         read(8, "e", 1)                         = 1
>         read(8, " ", 1)                         = 1
>         read(8, "p", 1)                         = 1
>         read(8, "a", 1)                         = 1
>         read(8, "c", 1)                         = 1
>         read(8, "k", 1)                         = 1
>         read(8, "e", 1)                         = 1
>         read(8, "t", 1)                         = 1
>         read(8, "s", 1)                         = 1
>         read(8, " ", 1)                         = 1
>         read(8, "t", 1)                         = 1
>         read(8, "o", 1)                         = 1
>         read(8, " ", 1)                         = 1
>         read(8, "f", 1)                         = 1
>         read(8, "i", 1)                         = 1
>         read(8, "l", 1)                         = 1
>         read(8, "e", 1)                         = 1
>         read(8, "\n", 1)                        = 1
>         wait4(44650, 0x7fffb630f2e4, WNOHANG, NULL) = 0
>         read(8, "\n", 1)                        = 1
>         wait4(44650, 0x7fffb630f2e4, WNOHANG, NULL) = 0
>         read(8, "~", 1)                         = 1
>         read(8, "~", 1)                         = 1
>         read(8, "~", 1)                         = 1
>         read(8, "\n", 1)                        = 1
>         wait4(44707, 0x7fffb630f2e4, WNOHANG, NULL) = 0
>         read(32, "0", 1)                        = 1
>         read(32, "\n", 1)                       = 1
>         wait4(44707, 0x7fffb630f2e4, WNOHANG, NULL) = 0
>         read(32,
>
>         Any other hints?
>
>         Cheers,
>
>         Jesse
>
>
>         On Tue, Feb 12, 2013 at 9:55 AM, Tyler T. Schoenke
>         <tyler.schoenke at colorado.edu
>         <mailto:tyler.schoenke at colorado.edu>
>         <mailto:tyler.schoenke at __colorado.edu
>         <mailto:tyler.schoenke at colorado.edu>>> wrote:
>
>              broctl cron typically doesn't give output.  If it is
>         hanging, you
>              should check for other instances of broctl cron running and
>         kill
>              them.   They will sometimes log jam.  I haven't figured out
>         why that
>              happens.
>
>              Tyler
>
>              --
>              Tyler Schoenke
>              Network Security Program Manager
>              IT Security Office
>              University of Colorado at Boulder
>
>
>              On 2/11/13 9:40 PM, Jesse Bowling wrote:
>
>                  Hi Tyler,
>
>                  Thanks for the response.
>
>                  Yes, I have ensured that these have been run...I've
>             also tried
>                  just running 'broctl cron' manually, but I get no
>             output and it
>                  never seems to quit (or at least, outlasts my
>             patience)...Any
>                  other hints?
>
>                  Cheers,
>
>                  Jesse
>
>                  On Mon, Feb 11, 2013 at 4:34 PM, Tyler T. Schoenke
>                  <tyler.schoenke at colorado.edu
>             <mailto:tyler.schoenke at colorado.edu>
>             <mailto:tyler.schoenke at __colorado.edu
>             <mailto:tyler.schoenke at colorado.edu>>>
>
>                  wrote:
>
>                      Have you run broctl install && broctl check?    I
>             always
>                      forget to do
>                      that after modifying LogExpireInterval.
>
>                      Tyler
>
>                      --
>                      Tyler Schoenke
>                      Network Security Program Manager
>                      IT Security Office
>                      University of Colorado at Boulder
>
>
>                      On 2/11/13 1:57 PM, Jesse Bowling wrote:
>                      > Hi,
>                      >
>                      > In my /usr/local/bro/etc/broctl.cfg I've specified:
>                      >
>                      > LogExpireInterval = 14
>                      >
>                      > Additionally in /etc/cron.d/bro I've specified:
>                      >
>                      > 0-59/5 * * * * /usr/local/bro/bin/broctl cron
>                      >
>                      > However I've found that I have more daily directories
>                      present that 14
>                      > days...What configuration options should I be
>             checking to
>                      troubleshoot
>                      > this problem?
>                      >
>                      > Thanks,
>                      >
>                      > Jesse
>                      >
>                      > --
>                      > Jesse Bowling
>                      >
>
>
>
>
>                  --
>                  Jesse Bowling
>
>
>
>
>         --
>         Jesse Bowling
>
>
>
>         _________________________________________________
>         Bro mailing list
>         bro at bro-ids.org <mailto:bro at bro-ids.org>
>         http://mailman.ICSI.Berkeley.__EDU/mailman/listinfo/bro
>         <http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro>
>
>
>
>
>
> --
> Jesse Bowling
>




More information about the Bro mailing list