[Bro] Odd log problem - logs get archived as empty

Jeremy Hoel jthoel at gmail.com
Thu Mar 6 18:05:17 PST 2014


Right right.. I so rarely change that; I forgot.  Thank you and I'll test
that tomorrow.
On Mar 6, 2014 6:42 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:

> You need to do "broctl install" after upgrading (that will update
> your broctl-config.sh file).
>
>
>
> On 03/06/2014 06:58 PM, Jeremy Hoel wrote:
>
>> So I added those two lines, restarted bro "broctl restart" waited a
>> number of minutes, then restarted it again, the logs moved into the
>> archive directory, but still end up emtpry and with the dot at the end.
>>
>> I'm heading home for the night, but I'll keep reading and checking out
>> some things.
>>
>> Thanks!
>>
>>
>> On Fri, Mar 7, 2014 at 12:51 AM, Jeremy Hoel <jthoel at gmail.com
>> <mailto:jthoel at gmail.com>> wrote:
>>
>>     # grep compress /usr/local/bro/spool/broctl-config.sh
>>     compresslogs="1"
>>
>>
>>     That is interesting.  So it's missing the two lines:
>>     compresscmd = gzip -9
>>     compressextension = gz
>>
>>     I'll add those and restart and see what happens
>>
>>     Side note - this is an upgrade from 2.1 to 2.2
>>
>>     And i think/thought it was working in 2.1
>>
>>
>>
>>
>>     On Fri, Mar 7, 2014 at 12:43 AM, Justin Azoff <JAzoff at albany.edu
>>     <mailto:JAzoff at albany.edu>> wrote:
>>
>>         On Fri, Mar 07, 2014 at 12:11:09AM +0000, Jeremy Hoel wrote:
>>          > #  broctl config | grep compress
>>          > compresscmd = gzip -9
>>          > compressextension = gz
>>          > compresslogs = 1
>>          >
>>          >
>>          > If the variables are blank, wouldn't, worst case, it copy the
>>         files in and just
>>          > have them be big?
>>
>>         not sure.. the command it runs is:
>>
>>              nice ${compresscmd} <$1 >$dest.${compressextension}
>>
>>         if compresslogs is not 1, then it just runs
>>
>>              nice cp $1 $dest
>>
>>         Your logs have a '.' at the end so it is clearly trying to do
>>         something,
>>         but not having the right variables there.
>>
>>         You should have one or more 'broctl-config.sh' files
>>
>>         something like:
>>
>>              /usr/local/bro/spool/broctl-config.sh
>>
>>         try
>>
>>              grep compress /usr/local/bro/spool/broctl-config.sh
>>
>>         you should get the same output.
>>
>>         --
>>         -- Justin Azoff
>>
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140307/a63f4c75/attachment.html 


More information about the Bro mailing list