[Bro] Odd log problem - logs get archived as empty
Robin Sommer
robin at icir.org
Fri Mar 7 09:37:34 PST 2014
Sounds like we should add a check to broctl that when the version of
either itself of Bro changes, it suggests doing an "install" if not
done yet.
Robin
On Fri, Mar 07, 2014 at 17:15 +0000, Jeremy Hoel wrote:
> Thanks for your help everyone.. I did the broctl install and then restart
> and then at the next restart/rotate, things compressed like normal.
>
> I'll have to do a test install and see if those two lines are in
> the broctl-config.sh by default.
>
>
> On Fri, Mar 7, 2014 at 2:05 AM, Jeremy Hoel <jthoel at gmail.com> wrote:
>
> > Right right.. I so rarely change that; I forgot. Thank you and I'll test
> > that tomorrow.
> > On Mar 6, 2014 6:42 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:
> >
> >> You need to do "broctl install" after upgrading (that will update
> >> your broctl-config.sh file).
> >>
> >>
> >>
> >> On 03/06/2014 06:58 PM, Jeremy Hoel wrote:
> >>
> >>> So I added those two lines, restarted bro "broctl restart" waited a
> >>> number of minutes, then restarted it again, the logs moved into the
> >>> archive directory, but still end up emtpry and with the dot at the end.
> >>>
> >>> I'm heading home for the night, but I'll keep reading and checking out
> >>> some things.
> >>>
> >>> Thanks!
> >>>
> >>>
> >>> On Fri, Mar 7, 2014 at 12:51 AM, Jeremy Hoel <jthoel at gmail.com
> >>> <mailto:jthoel at gmail.com>> wrote:
> >>>
> >>> # grep compress /usr/local/bro/spool/broctl-config.sh
> >>> compresslogs="1"
> >>>
> >>>
> >>> That is interesting. So it's missing the two lines:
> >>> compresscmd = gzip -9
> >>> compressextension = gz
> >>>
> >>> I'll add those and restart and see what happens
> >>>
> >>> Side note - this is an upgrade from 2.1 to 2.2
> >>>
> >>> And i think/thought it was working in 2.1
> >>>
> >>>
> >>>
> >>>
> >>> On Fri, Mar 7, 2014 at 12:43 AM, Justin Azoff <JAzoff at albany.edu
> >>> <mailto:JAzoff at albany.edu>> wrote:
> >>>
> >>> On Fri, Mar 07, 2014 at 12:11:09AM +0000, Jeremy Hoel wrote:
> >>> > # broctl config | grep compress
> >>> > compresscmd = gzip -9
> >>> > compressextension = gz
> >>> > compresslogs = 1
> >>> >
> >>> >
> >>> > If the variables are blank, wouldn't, worst case, it copy the
> >>> files in and just
> >>> > have them be big?
> >>>
> >>> not sure.. the command it runs is:
> >>>
> >>> nice ${compresscmd} <$1 >$dest.${compressextension}
> >>>
> >>> if compresslogs is not 1, then it just runs
> >>>
> >>> nice cp $1 $dest
> >>>
> >>> Your logs have a '.' at the end so it is clearly trying to do
> >>> something,
> >>> but not having the right variables there.
> >>>
> >>> You should have one or more 'broctl-config.sh' files
> >>>
> >>> something like:
> >>>
> >>> /usr/local/bro/spool/broctl-config.sh
> >>>
> >>> try
> >>>
> >>> grep compress /usr/local/bro/spool/broctl-config.sh
> >>>
> >>> you should get the same output.
> >>>
> >>> --
> >>> -- Justin Azoff
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin
More information about the Bro
mailing list