[Bro] Odd log problem - logs get archived as empty

Robin Sommer robin at icir.org
Fri Mar 7 09:37:34 PST 2014


Sounds like we should add a check to broctl that when the version of
either itself of Bro changes, it suggests doing an "install" if not
done yet.

Robin

On Fri, Mar 07, 2014 at 17:15 +0000, Jeremy Hoel wrote:

> Thanks for your help everyone.. I did the broctl install and then restart
> and then at the next restart/rotate, things compressed like normal.
> 
> I'll have to do a test install and see if those two lines are in
> the broctl-config.sh by default.
> 
> 
> On Fri, Mar 7, 2014 at 2:05 AM, Jeremy Hoel <jthoel at gmail.com> wrote:
> 
> > Right right.. I so rarely change that; I forgot.  Thank you and I'll test
> > that tomorrow.
> > On Mar 6, 2014 6:42 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:
> >
> >> You need to do "broctl install" after upgrading (that will update
> >> your broctl-config.sh file).
> >>
> >>
> >>
> >> On 03/06/2014 06:58 PM, Jeremy Hoel wrote:
> >>
> >>> So I added those two lines, restarted bro "broctl restart" waited a
> >>> number of minutes, then restarted it again, the logs moved into the
> >>> archive directory, but still end up emtpry and with the dot at the end.
> >>>
> >>> I'm heading home for the night, but I'll keep reading and checking out
> >>> some things.
> >>>
> >>> Thanks!
> >>>
> >>>
> >>> On Fri, Mar 7, 2014 at 12:51 AM, Jeremy Hoel <jthoel at gmail.com
> >>> <mailto:jthoel at gmail.com>> wrote:
> >>>
> >>>     # grep compress /usr/local/bro/spool/broctl-config.sh
> >>>     compresslogs="1"
> >>>
> >>>
> >>>     That is interesting.  So it's missing the two lines:
> >>>     compresscmd = gzip -9
> >>>     compressextension = gz
> >>>
> >>>     I'll add those and restart and see what happens
> >>>
> >>>     Side note - this is an upgrade from 2.1 to 2.2
> >>>
> >>>     And i think/thought it was working in 2.1
> >>>
> >>>
> >>>
> >>>
> >>>     On Fri, Mar 7, 2014 at 12:43 AM, Justin Azoff <JAzoff at albany.edu
> >>>     <mailto:JAzoff at albany.edu>> wrote:
> >>>
> >>>         On Fri, Mar 07, 2014 at 12:11:09AM +0000, Jeremy Hoel wrote:
> >>>          > #  broctl config | grep compress
> >>>          > compresscmd = gzip -9
> >>>          > compressextension = gz
> >>>          > compresslogs = 1
> >>>          >
> >>>          >
> >>>          > If the variables are blank, wouldn't, worst case, it copy the
> >>>         files in and just
> >>>          > have them be big?
> >>>
> >>>         not sure.. the command it runs is:
> >>>
> >>>              nice ${compresscmd} <$1 >$dest.${compressextension}
> >>>
> >>>         if compresslogs is not 1, then it just runs
> >>>
> >>>              nice cp $1 $dest
> >>>
> >>>         Your logs have a '.' at the end so it is clearly trying to do
> >>>         something,
> >>>         but not having the right variables there.
> >>>
> >>>         You should have one or more 'broctl-config.sh' files
> >>>
> >>>         something like:
> >>>
> >>>              /usr/local/bro/spool/broctl-config.sh
> >>>
> >>>         try
> >>>
> >>>              grep compress /usr/local/bro/spool/broctl-config.sh
> >>>
> >>>         you should get the same output.
> >>>
> >>>         --
> >>>         -- Justin Azoff
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Robin Sommer * Phone +1 (510) 722-6541 *     robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 * www.icir.org/robin



More information about the Bro mailing list