[Bro] Odd log problem - logs get archived as empty
Daniel Thayer
dnthayer at illinois.edu
Thu Mar 6 17:10:19 PST 2014
You need to do "broctl install" after upgrading (that will update
your broctl-config.sh file).
On 03/06/2014 06:58 PM, Jeremy Hoel wrote:
> So I added those two lines, restarted bro "broctl restart" waited a
> number of minutes, then restarted it again, the logs moved into the
> archive directory, but still end up emtpry and with the dot at the end.
>
> I'm heading home for the night, but I'll keep reading and checking out
> some things.
>
> Thanks!
>
>
> On Fri, Mar 7, 2014 at 12:51 AM, Jeremy Hoel <jthoel at gmail.com
> <mailto:jthoel at gmail.com>> wrote:
>
> # grep compress /usr/local/bro/spool/broctl-config.sh
> compresslogs="1"
>
>
> That is interesting. So it's missing the two lines:
> compresscmd = gzip -9
> compressextension = gz
>
> I'll add those and restart and see what happens
>
> Side note - this is an upgrade from 2.1 to 2.2
>
> And i think/thought it was working in 2.1
>
>
>
>
> On Fri, Mar 7, 2014 at 12:43 AM, Justin Azoff <JAzoff at albany.edu
> <mailto:JAzoff at albany.edu>> wrote:
>
> On Fri, Mar 07, 2014 at 12:11:09AM +0000, Jeremy Hoel wrote:
> > # broctl config | grep compress
> > compresscmd = gzip -9
> > compressextension = gz
> > compresslogs = 1
> >
> >
> > If the variables are blank, wouldn't, worst case, it copy the
> files in and just
> > have them be big?
>
> not sure.. the command it runs is:
>
> nice ${compresscmd} <$1 >$dest.${compressextension}
>
> if compresslogs is not 1, then it just runs
>
> nice cp $1 $dest
>
> Your logs have a '.' at the end so it is clearly trying to do
> something,
> but not having the right variables there.
>
> You should have one or more 'broctl-config.sh' files
>
> something like:
>
> /usr/local/bro/spool/broctl-config.sh
>
> try
>
> grep compress /usr/local/bro/spool/broctl-config.sh
>
> you should get the same output.
>
> --
> -- Justin Azoff
>
>
>
>
>
More information about the Bro
mailing list