[Bro] Odd log problem - logs get archived as empty
Jeremy Hoel
jthoel at gmail.com
Thu Mar 6 18:05:17 PST 2014
Right right.. I so rarely change that; I forgot. Thank you and I'll test
that tomorrow.
On Mar 6, 2014 6:42 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:
> You need to do "broctl install" after upgrading (that will update
> your broctl-config.sh file).
>
>
>
> On 03/06/2014 06:58 PM, Jeremy Hoel wrote:
>
>> So I added those two lines, restarted bro "broctl restart" waited a
>> number of minutes, then restarted it again, the logs moved into the
>> archive directory, but still end up emtpry and with the dot at the end.
>>
>> I'm heading home for the night, but I'll keep reading and checking out
>> some things.
>>
>> Thanks!
>>
>>
>> On Fri, Mar 7, 2014 at 12:51 AM, Jeremy Hoel <jthoel at gmail.com
>> <mailto:jthoel at gmail.com>> wrote:
>>
>> # grep compress /usr/local/bro/spool/broctl-config.sh
>> compresslogs="1"
>>
>>
>> That is interesting. So it's missing the two lines:
>> compresscmd = gzip -9
>> compressextension = gz
>>
>> I'll add those and restart and see what happens
>>
>> Side note - this is an upgrade from 2.1 to 2.2
>>
>> And i think/thought it was working in 2.1
>>
>>
>>
>>
>> On Fri, Mar 7, 2014 at 12:43 AM, Justin Azoff <JAzoff at albany.edu
>> <mailto:JAzoff at albany.edu>> wrote:
>>
>> On Fri, Mar 07, 2014 at 12:11:09AM +0000, Jeremy Hoel wrote:
>> > # broctl config | grep compress
>> > compresscmd = gzip -9
>> > compressextension = gz
>> > compresslogs = 1
>> >
>> >
>> > If the variables are blank, wouldn't, worst case, it copy the
>> files in and just
>> > have them be big?
>>
>> not sure.. the command it runs is:
>>
>> nice ${compresscmd} <$1 >$dest.${compressextension}
>>
>> if compresslogs is not 1, then it just runs
>>
>> nice cp $1 $dest
>>
>> Your logs have a '.' at the end so it is clearly trying to do
>> something,
>> but not having the right variables there.
>>
>> You should have one or more 'broctl-config.sh' files
>>
>> something like:
>>
>> /usr/local/bro/spool/broctl-config.sh
>>
>> try
>>
>> grep compress /usr/local/bro/spool/broctl-config.sh
>>
>> you should get the same output.
>>
>> --
>> -- Justin Azoff
>>
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140307/a63f4c75/attachment.html
More information about the Bro
mailing list