[Bro] [maintenance] what would cause a backlog/erasure in "...logs/current"?

Daniel Thayer dnthayer at illinois.edu
Wed Jan 21 08:38:05 PST 2015


On 01/08/2015 10:24 AM, Glenn Forbes Fleming Larratt wrote:
> Folks,
>
> My Bro cluster is happily flagging and accumulating data - but:
>
>    1. The last two hourly cycles left uncompressed logfiles in
>       /opt/app/bro/logs/current:
>
>      :
>      :
> -rw-r--r-- 1 bro bro       73529 Jan  8 11:00 reporter-15-01-08_10.00.00.log
> -rw-r--r-- 1 bro bro      749059 Jan  8 11:00 tunnel-15-01-08_10.00.00.log
> -rw-r--r-- 1 bro bro     2474781 Jan  8 11:00 weird-15-01-08_10.00.00.log
> -rw-r--r-- 1 bro bro 17062559659 Jan  8 10:00 conn-15-01-08_09.00.00.log
> -rw-r--r-- 1 bro bro  2260979370 Jan  8 10:00 files-15-01-08_09.00.00.log
> -rw-r--r-- 1 bro bro  4942559737 Jan  8 10:00 http-15-01-08_09.00.00.log
>      : etc.
>      :
>
>    2. No gzip processes were in evidence;
>
>    3. Figuring it might be the appropriate proverbial kick in the pants, I
>       did a "broctl restart", which ran cleanly - and to all appearances,
>       *erased* the older uncompressed files in question.
>
> I now have a hole where the data from 10:00-12:00 today used to be - can
> anyone shed light on what's going on here?
>

Has this happened more than once?  Have you tried looking for
unarchived log files in /opt/app/bro/spool/tmp ?

If there were any unarchived log files in logs/current, then when
you do a broctl stop (or broctl restart), I would expect that they
would get moved into a subdirectory of spool/tmp/ (assuming that
you're using a recent version of broctl).


More information about the Bro mailing list