[Bro] Odd log problem - logs get archived as empty
Jeremy Hoel
jthoel at gmail.com
Thu Mar 6 16:58:26 PST 2014
So I added those two lines, restarted bro "broctl restart" waited a number
of minutes, then restarted it again, the logs moved into the archive
directory, but still end up emtpry and with the dot at the end.
I'm heading home for the night, but I'll keep reading and checking out some
things.
Thanks!
On Fri, Mar 7, 2014 at 12:51 AM, Jeremy Hoel <jthoel at gmail.com> wrote:
> # grep compress /usr/local/bro/spool/broctl-config.sh
> compresslogs="1"
>
>
> That is interesting. So it's missing the two lines:
> compresscmd = gzip -9
> compressextension = gz
>
> I'll add those and restart and see what happens
>
> Side note - this is an upgrade from 2.1 to 2.2
>
> And i think/thought it was working in 2.1
>
>
>
>
> On Fri, Mar 7, 2014 at 12:43 AM, Justin Azoff <JAzoff at albany.edu> wrote:
>
>> On Fri, Mar 07, 2014 at 12:11:09AM +0000, Jeremy Hoel wrote:
>> > # broctl config | grep compress
>> > compresscmd = gzip -9
>> > compressextension = gz
>> > compresslogs = 1
>> >
>> >
>> > If the variables are blank, wouldn't, worst case, it copy the files in
>> and just
>> > have them be big?
>>
>> not sure.. the command it runs is:
>>
>> nice ${compresscmd} <$1 >$dest.${compressextension}
>>
>> if compresslogs is not 1, then it just runs
>>
>> nice cp $1 $dest
>>
>> Your logs have a '.' at the end so it is clearly trying to do something,
>> but not having the right variables there.
>>
>> You should have one or more 'broctl-config.sh' files
>>
>> something like:
>>
>> /usr/local/bro/spool/broctl-config.sh
>>
>> try
>>
>> grep compress /usr/local/bro/spool/broctl-config.sh
>>
>> you should get the same output.
>>
>> --
>> -- Justin Azoff
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140307/b63c5df5/attachment.html
More information about the Bro
mailing list