[Bro] Revisiting log rotate only

Sat Jan 17 06:37:17 PST 2015

Hey all,

I posted about this last August here:

http://mailman.icsi.berkeley.edu/pipermail/bro/2014-August/007329.html

I also noticed someone have a disappearing log event which I have seen
before  as well here:

http://mailman.icsi.berkeley.edu/pipermail/bro/2015-January/007935.html

I documented my process on installing bro on Ubuntu 14.04 using just log
rotation below:

sudo apt-get -y install cmake
sudo apt-get -y install python-dev
sudo apt-get -y install swig
cp	/usr/local/bro/share/bro/site
cp	/opt/bin/startbro <- command line bro with long --filter line
cp	/opt/bin/startbro to /etc/rc.local
	sudo ln -s /usr/local/bro/bin/bro /usr/local/bin/
	sudo ln -s /usr/local/bro/bin/bro-cut /usr/local/bin/
	sudo ln -s /usr/local/bro/bin/broctl /usr/local/bin/
	sudo ln
-s /usr/local/bro/share/broctl/scripts/archive-log /usr/local/bin/
	sudo ln
-s /usr/local/bro/share/broctl/scripts/broctl-config.sh /usr/local/bin/
	sudo ln
-s /usr/local/bro/share/broctl/scripts/create-link-for-log /usr/local/bin/
	sudo ln
-s /usr/local/bro/share/broctl/scripts/make-archive-name /usr/local/bin/
git clone https://github.com/jonschipp/mal-dnssearch.git
	sudo make install

specifics on log rotate only:

add the below to local.bro
	redef Log::default_rotation_interval = 86400 secs;
	redef Log::default_rotation_postprocessor_cmd = "archive-log";
edit the below in broctl.cfg
	MailTo = jlay at slave-tothe-box.net
	LogRotationInterval = 86400
sudo /usr/local/bro/bin/broctl install

Besides the edits to broctl.cfg, file locations are the default.  The
above works well usually...it's after a reboot I have found things go
bad.  Usually logs get rotated at midnight and I get an email with
statistics, just what I need.  I rebooted the machine on the 13, and
that's the last email or log rotation I got....this morning I see
current has files and my logstash instance has data so I believe the
rotation got..."stuck".  I'm kicking myself for not heading/tailing the
files first, but after issuing a "sudo killall bro", those file in
current vanished, no directory was created, and I received no email,
that data is now gone (no big deal as this is at home).  I decided to
run broctl install again, then start and kill bro one more time.  At
that point, I got a new directory with log rotation and an email with
minutes or so of stats.  Please let me know if there's something I can
do on my end to trouble shoot.  Thank you.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150117/e3e3405c/attachment.html 