[Bro] [maintenance] what would cause a backlog/erasure in "...logs/current"?

Glenn Forbes Fleming Larratt gl89 at cornell.edu
Mon Jan 26 12:01:56 PST 2015 

I have anecdotal information, but no direct experience beyond the one 
time. I used a 'find' command to search throughout my installation for the 
lost files, to no effect.

I would have expected the same thing, but found them gone instead. FWIW, 
broctl reports itself as v1.3 (in a v2.3 Bro deployment).

Thanks,

 	-g

-- 
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

On Wed, 21 Jan 2015, Daniel Thayer wrote:

> On 01/08/2015 10:24 AM, Glenn Forbes Fleming Larratt wrote:
>>  Folks,
>>
>>  My Bro cluster is happily flagging and accumulating data - but:
>>
>>     1. The last two hourly cycles left uncompressed logfiles in
>>        /opt/app/bro/logs/current:
>> 
>> : 
>> :
>>  -rw-r--r-- 1 bro bro       73529 Jan  8 11:00
>>  reporter-15-01-08_10.00.00.log
>>  -rw-r--r-- 1 bro bro      749059 Jan  8 11:00 tunnel-15-01-08_10.00.00.log
>>  -rw-r--r-- 1 bro bro     2474781 Jan  8 11:00 weird-15-01-08_10.00.00.log
>>  -rw-r--r-- 1 bro bro 17062559659 Jan  8 10:00 conn-15-01-08_09.00.00.log
>>  -rw-r--r-- 1 bro bro  2260979370 Jan  8 10:00 files-15-01-08_09.00.00.log
>>  -rw-r--r-- 1 bro bro  4942559737 Jan  8 10:00 http-15-01-08_09.00.00.log
>> :  etc.
>> : 
>>
>>     2. No gzip processes were in evidence;
>>
>>     3. Figuring it might be the appropriate proverbial kick in the pants, I
>>        did a "broctl restart", which ran cleanly - and to all appearances,
>>        *erased* the older uncompressed files in question.
>>
>>  I now have a hole where the data from 10:00-12:00 today used to be - can
>>  anyone shed light on what's going on here?
>> 
>
> Has this happened more than once?  Have you tried looking for
> unarchived log files in /opt/app/bro/spool/tmp ?
>
> If there were any unarchived log files in logs/current, then when
> you do a broctl stop (or broctl restart), I would expect that they
> would get moved into a subdirectory of spool/tmp/ (assuming that
> you're using a recent version of broctl).
>
>

More information about the Bro mailing list