[Bro] logs in bro/spool/manager not consistent with archived logs

Daniel Thayer dnthayer at illinois.edu
Thu Jun 18 11:23:48 PDT 2015 

The directory "spool/manager" is where the current (i.e., active) logs
are located.  The "logs" directory is where the archived logs are
located.  Logs are archived according to the log rotation interval
specified in your configuration.


On 06/18/2015 01:13 PM, Duba, Andrew wrote:
> I’m running bro in my test environment and if I do an ls on the
> directory where current logs are supposed to be stored I get this
>
> root at spot:/usr/local/bro/logs# ls /usr/local/bro/spool/manager
>
> communication.log  loaded_scripts.log  reporter.log  stderr.log  stdout.log
>
>
>
> If I run  an ls in one of the archived directories I get this
>
> app_stats.00:00:00-01:00:00.log.gzconn.06:00:00-07:00:00.log.gzdpd.07:00:00-08:00:00.log.gzknown_services.00:00:00-01:00:00.log.gzreporter.12:49:56-12:58:35.log.gzssl.12:00:00-13:00:00.log.gz
>
> app_stats.01:00:00-02:00:00.log.gzconn.07:00:00-08:00:00.log.gzdpd.08:00:00-09:00:00.log.gzknown_services.01:00:00-02:00:00.log.gzreporter.13:02:38-13:06:00.log.gztunnel.07:00:00-08:00:00.log.gz
>
> app_stats.02:00:00-03:00:00.log.gzconn.08:00:00-09:00:00.log.gzdpd.09:00:00-10:00:00.log.gzknown_services.09:00:00-10:00:00.log.gzsnmp.00:00:00-01:00:00.log.gztunnel.08:00:00-09:00:00.log.gz
>
> app_stats.03:00:00-04:00:00.log.gzconn.09:00:00-10:00:00.log.gzdpd.10:00:00-11:00:00.log.gzknown_services.12:00:00-13:00:00.log.gzsnmp.01:00:00-02:00:00.log.gztunnel.10:00:00-11:00:00.log.gz
>
> app_stats.04:00:00-05:00:00.log.gzconn.10:00:00-11:00:00.log.gzdpd.11:00:00-12:00:00.log.gzloaded_scripts.12:45:56-12:58:35.log.gzsnmp.02:00:00-03:00:00.log.gztunnel.11:00:00-12:00:00.log.gz
>
> app_stats.05:00:00-06:00:00.log.gzconn.11:00:00-12:00:00.log.gzdpd.12:00:00-13:00:00.log.gzloaded_scripts.12:58:38-13:00:00.log.gzsnmp.03:00:00-04:00:00.log.gztunnel.12:00:00-13:00:00.log.gz
>
> app_stats.06:00:00-07:00:00.log.gzconn.12:00:00-13:00:00.log.gzfiles.00:00:00-01:00:00.log.gznotice.00:00:00-01:00:00.log.gzsnmp.09:00:00-10:00:00.log.gzweird.00:00:00-01:00:00.log.gz
>
> app_stats.07:00:00-08:00:00.log.gzconn-summary.00:00:00-01:00:00.log.gzfiles.01:00:00-02:00:00.log.gznotice.01:00:00-02:00:00.log.gzsnmp.10:00:00-11:00:00.log.gzweird.01:00:00-02:00:00.log.gz
>
> app_stats.08:00:00-09:00:00.log.gzconn-summary.01:00:00-02:00:00.log.gzfiles.02:00:00-03:00:00.log.gznotice.02:00:00-03:00:00.log.gzsnmp.11:00:00-12:00:00.log.gzweird.02:00:00-03:00:00.log.gz
>
> app_stats.09:00:00-10:00:00.log.gzconn-summary.02:00:00-03:00:00.log.gzfiles.03:00:00-04:00:00.log.gznotice.03:00:00-04:00:00.log.gzsoftware.00:00:00-01:00:00.log.gzweird.03:00:00-04:00:00.log.gz
>
> app_stats.10:00:00-11:00:00.log.gzconn-summary.03:00:00-04:00:00.log.gzfiles.04:00:00-05:00:00.log.gznotice.04:00:00-05:00:00.log.gzsoftware.01:00:00-02:00:00.log.gzweird.04:00:00-05:00:00.log.gz
>
>>
>
> Is there a configuration directive that I’m missing?
>
> Thanks in advance for any help.
>
> -Andrew
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

More information about the Bro mailing list