[Bro] bro-spool/manager oddity
Russell Fulton
r.fulton at auckland.ac.nz
Sun Mar 2 18:01:54 PST 2014
Hi
I recently realised that my bro logs were not getting into ELSA so I started checking things and found that the bro-logs looked kosher with all the compressed files that one would expect. Next I looked at current (linked to bro-spool/manager) :
rful011 at secmontst01:~$ ls -Ll /data/sensors/test1/bro-logs/current
total 36
-rw-r--r-- 1 root root 25519 Mar 3 13:33 communication.log
-rw-r--r-- 1 root root 0 Feb 20 13:22 stderr.log
-rw-r--r-- 1 root root 30 Feb 20 13:22 stdout.log
Weird! The bro hourly process that rolled and compressed the files could find them but I could not and nor could syslog-ng.
broctl restart fixed the issue.
I am just reporting this for completeness in case anyone else has the same issue.
All I can think of is that the files were somehow unlinked and the processes writing them and rolling them over always keep the files open so they stay ‘hidden’. Presumably this is how the manager works.
Russell
More information about the Bro
mailing list