[Bro] Bro hanging on some sensors
Kellogg, Brian D (OLN)
bkellogg at dresser-rand.com
Wed Jun 11 14:25:51 PDT 2014
I have several SecurityOnion sensors and most are working ok. There are a couple that I see the below problem on with Bro.
The /nsm/bro/spool/manager/communication.log file shows the below in it on each of the problem sensors:
1402520922.886012 manager parent - - - info warning: cannot increase SO_SNDBUF socket buffer size from 16384K (1024K was requested)
1402520922.886012 manager parent - - - info warning: cannot increase SO_RCVBUF socket buffer size from 16384K (1024K was requested)
1402520922.886012 manager parent - - - info warning: cannot increase SO_SNDBUF socket buffer size from 16384K (1024K was requested)
1402520922.886012 manager parent - - - info warning: cannot increase SO_RCVBUF socket buffer size from 16384K (1024K was requested)
1402520922.886012 manager parent - - - info communication started, parent pid is 3646, child pid is 3660
I only ever see these files created in the Bro log working directory:
communication.log
loaded_scripts.log
eporter.log
stderr.log
stdout.log
Most of the sensors are configured exactly the same both software and hardware wise; so I'm not seeing a correlation there as yet. I've tried rebooting and using broctl commands and so far no resolution. Many time "broctl check" will hang. I have all the latest patches on SO installed. Any help would be appreciated.
The only major change I've made in the last month is to add a few Intel feeds.
Thanks,
Brian
More information about the Bro
mailing list