[Bro] Odd log problem - logs get archived as empty

Jeremy Hoel jthoel at gmail.com
Thu Mar 6 15:49:46 PST 2014 

We are running "bro version 2.2" compiled from source on CentOS 6.5.

broctl.cfg for the logging parts is:
LogDir = /usr/local/bro/logs
LogRotationInterval = 3600
LogExpireInterval = 14
MinDiskSpace = 5

bro is run from broctl..

log files in /usr/local/bro/logs/current is fine:
-rw-r-----. 1 root root    121 Mar  6 23:23 .cmdline
-rw-r-----. 1 root root  14820 Mar  6 23:44 communication.log
-rw-r-----. 1 root root    391 Mar  6 23:28 dhcp.log
-rw-r-----. 1 root root 826073 Mar  6 23:45 dns.log
-rw-r-----. 1 root root    355 Mar  6 23:38 dpd.log
-rw-r-----. 1 root root    314 Mar  6 23:23 .env_vars
-rw-r-----. 1 root root    961 Mar  6 23:39 files.log
-rw-r-----. 1 root root  14907 Mar  6 23:23 loaded_scripts.log
-rw-r-----. 1 root root    226 Mar  6 23:23 packet_filter.log
-rw-r-----. 1 root root      5 Mar  6 23:23 .pid
-rw-r-----. 1 root root     58 Mar  6 23:23 .startup
drwx------. 3 root root   4096 Mar  6 23:23 .state
-rwx------. 1 root root     18 Mar  6 23:23 .status
-rw-r-----. 1 root root     46 Mar  6 23:23 stderr.log
-rw-r-----. 1 root root     30 Mar  6 23:23 stdout.log
-rw-r-----. 1 root root    330 Mar  6 23:33 tunnel.log

but when they get cycled out to the normal log archive they become empty
blank files.
ls -al /usr/local/bro/logs/2014-03-06
-rw-r-----.  1 root root     2 Mar  6 01:00
communication.00:00:00-01:00:00.log.
-rw-r-----.  1 root root     2 Mar  6 02:00
communication.01:00:00-02:00:00.log.
-rw-r-----.  1 root root     2 Mar  6 03:00
communication.02:00:00-03:00:00.log.
-rw-r-----.  1 root root     2 Mar  6 04:00
communication.03:00:00-04:00:00.log.
-rw-r-----.  1 root root     2 Mar  6 05:00
communication.04:00:00-05:00:00.log.
-rw-r-----.  1 root root     2 Mar  6 06:00
communication.05:00:00-06:00:00.log.
-rw-r-----.  1 root root     2 Mar  6 07:00
communication.06:00:00-07:00:00.log.
-rw-r-----.  1 root root     2 Mar  6 08:00
communication.07:00:00-08:00:00.log.
-rw-r-----.  1 root root     2 Mar  6 09:00
communication.08:00:00-09:00:00.log.
-rw-r-----.  1 root root     2 Mar  6 10:00
communication.09:00:00-10:00:00.log.
-rw-r-----.  1 root root     2 Mar  6 11:00
communication.10:00:00-11:00:00.log.
-rw-r-----.  1 root root     2 Mar  6 12:00
communication.11:00:00-12:00:00.log.
-rw-r-----.  1 root root     2 Mar  6 13:00
communication.12:00:00-13:00:00.log.
etc.. etc.. etc..

I know at one point this was working, but we went back today to look for
something and noticed this problem.

Any ideas where to start to look for reasons why this might be happening?


Just for giggles, local.bro looks like this:

@load misc/loaded-scripts
@load tuning/defaults

event bro_init()
        {
 Log::disable_stream(HTTP::LOG);
        Log::disable_stream(Syslog::LOG);
        Log::disable_stream(Conn::LOG);
        Log::disable_stream(SMTP::LOG);
        Log::disable_stream(Weird::LOG);
        Log::disable_stream(SSL::LOG);
        Log::remove_default_filter(DNS::LOG);
        Log::add_filter(DNS::LOG, [$name="new-default",

$include=set("ts","id.orig_h","id.orig_p","id.resp_h","id.resp_p","proto","trans_id","query","qclass_name","qtype_name","rcode_name","AA","answers","RA","RD","TTL")]);
        }


Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140306/db14d477/attachment.html

More information about the Bro mailing list