[Bro] Odd log problem - logs get archived as empty

[James Lay]

On 2014-03-07 11:02, Justin Azoff wrote:
> On Fri, Mar 07, 2014 at 05:49:59PM +0000, Jeremy Hoel wrote:
>> Plus, the 'broctl config' knew about the commands, but they weren't 
>> in the .sh
>> file.  So I'm not sure how/why that was different. But that is 
>> probably totally
>> be me not knowing how Bro works in detail.
>
> The why would be: 'broctl install' was not ran after upgrading bro.
>
>> I'm just helpful for the quick response of this list and that it 
>> wasn't
>> something simple that I had missed.
>
>
> Looks like there are things that can be done in broctl to check for
> this, but in the future just running broctl install after an ugprade
> will make this not happen again.

You can also roll your own...in a cron job at say 23:58 (you lose the 
email stats without broctl however)

#!/bin/bash
killall bro
mkdir /media/backup/bro/logarchive/`date --date=today +%m-%d-%Y`
mv /media/backup/bro/current/*.log /media/backup/bro/logarchive/`date 
--date=today +%m-%d-%Y`
cd /media/backup/bro/logarchive/`date --date=today +%m-%d-%Y`
/usr/local/bin/gz.pl
cd /media/backup/bro/current
/usr/local/bin/startbro
exit


cat /usr/local/bin/gz.pl

#!/usr/bin/perl
@zips = `ls *.log | more`;
foreach (@zips) {
system("gzip $_");
}
exit;


James