[Bro] Bro hanging on some sensors
Doug Burks
doug.burks at gmail.com
Thu Jun 12 02:23:41 PDT 2014
Hi Brian,
How exactly did you add your Intel feeds?
On Wed, Jun 11, 2014 at 5:25 PM, Kellogg, Brian D (OLN)
<bkellogg at dresser-rand.com> wrote:
> I have several SecurityOnion sensors and most are working ok. There are a couple that I see the below problem on with Bro.
>
> The /nsm/bro/spool/manager/communication.log file shows the below in it on each of the problem sensors:
> 1402520922.886012 manager parent - - - info warning: cannot increase SO_SNDBUF socket buffer size from 16384K (1024K was requested)
> 1402520922.886012 manager parent - - - info warning: cannot increase SO_RCVBUF socket buffer size from 16384K (1024K was requested)
> 1402520922.886012 manager parent - - - info warning: cannot increase SO_SNDBUF socket buffer size from 16384K (1024K was requested)
> 1402520922.886012 manager parent - - - info warning: cannot increase SO_RCVBUF socket buffer size from 16384K (1024K was requested)
> 1402520922.886012 manager parent - - - info communication started, parent pid is 3646, child pid is 3660
>
> I only ever see these files created in the Bro log working directory:
> communication.log
> loaded_scripts.log
> eporter.log
> stderr.log
> stdout.log
>
> Most of the sensors are configured exactly the same both software and hardware wise; so I'm not seeing a correlation there as yet. I've tried rebooting and using broctl commands and so far no resolution. Many time "broctl check" will hang. I have all the latest patches on SO installed. Any help would be appreciated.
>
> The only major change I've made in the last month is to add a few Intel feeds.
>
>
> Thanks,
> Brian
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Doug Burks
More information about the Bro
mailing list