[Bro] Odd log problem - logs get archived as empty

Fri Mar 7 09:15:35 PST 2014

Thanks for your help everyone.. I did the broctl install and then restart
and then at the next restart/rotate, things compressed like normal.

I'll have to do a test install and see if those two lines are in
the broctl-config.sh by default.

On Fri, Mar 7, 2014 at 2:05 AM, Jeremy Hoel <jthoel at gmail.com> wrote:

> Right right.. I so rarely change that; I forgot.  Thank you and I'll test
> that tomorrow.
> On Mar 6, 2014 6:42 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:
>
>> You need to do "broctl install" after upgrading (that will update
>> your broctl-config.sh file).
>>
>>
>>
>> On 03/06/2014 06:58 PM, Jeremy Hoel wrote:
>>
>>> So I added those two lines, restarted bro "broctl restart" waited a
>>> number of minutes, then restarted it again, the logs moved into the
>>> archive directory, but still end up emtpry and with the dot at the end.
>>>
>>> I'm heading home for the night, but I'll keep reading and checking out
>>> some things.
>>>
>>> Thanks!
>>>
>>>
>>> On Fri, Mar 7, 2014 at 12:51 AM, Jeremy Hoel <jthoel at gmail.com
>>> <mailto:jthoel at gmail.com>> wrote:
>>>
>>>     # grep compress /usr/local/bro/spool/broctl-config.sh
>>>     compresslogs="1"
>>>
>>>
>>>     That is interesting.  So it's missing the two lines:
>>>     compresscmd = gzip -9
>>>     compressextension = gz
>>>
>>>     I'll add those and restart and see what happens
>>>
>>>     Side note - this is an upgrade from 2.1 to 2.2
>>>
>>>     And i think/thought it was working in 2.1
>>>
>>>
>>>
>>>
>>>     On Fri, Mar 7, 2014 at 12:43 AM, Justin Azoff <JAzoff at albany.edu
>>>     <mailto:JAzoff at albany.edu>> wrote:
>>>
>>>         On Fri, Mar 07, 2014 at 12:11:09AM +0000, Jeremy Hoel wrote:
>>>          > #  broctl config | grep compress
>>>          > compresscmd = gzip -9
>>>          > compressextension = gz
>>>          > compresslogs = 1
>>>          >
>>>          >
>>>          > If the variables are blank, wouldn't, worst case, it copy the
>>>         files in and just
>>>          > have them be big?
>>>
>>>         not sure.. the command it runs is:
>>>
>>>              nice ${compresscmd} <$1 >$dest.${compressextension}
>>>
>>>         if compresslogs is not 1, then it just runs
>>>
>>>              nice cp $1 $dest
>>>
>>>         Your logs have a '.' at the end so it is clearly trying to do
>>>         something,
>>>         but not having the right variables there.
>>>
>>>         You should have one or more 'broctl-config.sh' files
>>>
>>>         something like:
>>>
>>>              /usr/local/bro/spool/broctl-config.sh
>>>
>>>         try
>>>
>>>              grep compress /usr/local/bro/spool/broctl-config.sh
>>>
>>>         you should get the same output.
>>>
>>>         --
>>>         -- Justin Azoff
>>>
>>>
>>>
>>>
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140307/09d85cd2/attachment.html 