[Bro] Stats.log Growing Out of Control!!!

Daniel Thayer dnthayer at illinois.edu
Mon Jan 19 15:39:18 PST 2015 

I'd like to know why the stats-to-csv script is failing.
Could you apply the attached patch, and then send me
the contents of the "stats-to-csv failed" email?

To apply the patch you'll need to change directory to (where <prefix>
is the Bro install prefix directory):
<prefix>/lib/broctl/BroControl
In that directory you should see a file named "cron.py".



On 01/19/2015 02:16 PM, Damon Rouse wrote:
> @Dan:  Both those files are there.
>
> What my main issue seems to be is that my stats.log file is growing by
> 20-30MB every 5 minutes when the cron runs.  I then get the email below
> in my original post.
>
> I'm circling back here to hopefully find a resolution.  I opened a
> thread in the Security Onion and tried limiting these events in my
> broctl.cfg. doesn't seem to work.  I've stopped Bro, deleted the stats
> dir, did brotcl install and then start, no go there either.
>
> Here's my SO thread for ref:
> https://groups.google.com/forum/#!topic/security-onion/bdmFGn3oj24
>
> If anyone has any ideas or thoughts, please let me know.  Any help is
> truly appreciated!
>
> Thanks
> Damon
>
> On Fri, Jan 2, 2015 at 2:16 PM, Thayer, Daniel N <dnthayer at illinois.edu
> <mailto:dnthayer at illinois.edu>> wrote:
>
>     The stats-to-csv script creates files with a ".csv" file extension in
>     the directory <prefix>/logs/stats/www/  (where <prefix> is the bro
>     install directory).  In order for this script to work, it needs to
>     read two files:  <prefix>/spool/stats.log and
>     <prefix>/logs/stats/meta.dat
>
>
>
>
>     From: bro-bounces at bro.org <mailto:bro-bounces at bro.org>
>     [bro-bounces at bro.org <mailto:bro-bounces at bro.org>] on behalf of
>     Damon Rouse [damonrouse at gmail.com <mailto:damonrouse at gmail.com>]
>
>     Sent: Friday, January 02, 2015 11:58 AM
>
>     To: bro at bro-ids.org <mailto:bro at bro-ids.org>
>
>     Subject: [Bro] (no subject)
>
>
>
>
>
>
>     Happy New Year Everyone!!!
>
>     Has anyone ever seen the following error before?  Email alerts that
>     come in looks like this:
>
>
>
>
>     Subject: [Bro] cron: stats-to-csv failed
>     Body:
>     stats-to-csv failed
>     --
>     [Automatically generated.]
>
>     I started receiving these yesterday.  They come in every 5 minutes
>     and I've never received them before yesterday.
>
>     Bro is running fine, my system is completely updated and everything
>     looks good when I run a sostat (running BRO under Security Onion).
>
>     Any insight is appreciated as I have no idea if they are something I
>     should look into or not.
>
>     Thanks
>     Damon
>
>
>
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: broctlcron.patch
Type: text/x-patch
Size: 388 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150119/b7b099b6/attachment.bin

More information about the Bro mailing list