[Bro] [maintenance] what would cause a backlog/erasure in "...logs/current"?
Glenn Forbes Fleming Larratt
gl89 at cornell.edu
Thu Jan 8 08:24:09 PST 2015
Folks,
My Bro cluster is happily flagging and accumulating data - but:
1. The last two hourly cycles left uncompressed logfiles in
/opt/app/bro/logs/current:
:
:
-rw-r--r-- 1 bro bro 73529 Jan 8 11:00 reporter-15-01-08_10.00.00.log
-rw-r--r-- 1 bro bro 749059 Jan 8 11:00 tunnel-15-01-08_10.00.00.log
-rw-r--r-- 1 bro bro 2474781 Jan 8 11:00 weird-15-01-08_10.00.00.log
-rw-r--r-- 1 bro bro 17062559659 Jan 8 10:00 conn-15-01-08_09.00.00.log
-rw-r--r-- 1 bro bro 2260979370 Jan 8 10:00 files-15-01-08_09.00.00.log
-rw-r--r-- 1 bro bro 4942559737 Jan 8 10:00 http-15-01-08_09.00.00.log
: etc.
:
2. No gzip processes were in evidence;
3. Figuring it might be the appropriate proverbial kick in the pants, I
did a "broctl restart", which ran cleanly - and to all appearances,
*erased* the older uncompressed files in question.
I now have a hole where the data from 10:00-12:00 today used to be - can
anyone shed light on what's going on here?
Thanks,
--
Glenn Forbes Fleming Larratt
Cornell University IT Security Office
More information about the Bro
mailing list