[Bro] logs in bro/spool/manager not consistent with archived logs

Duba, Andrew andrew_duba at wustl.edu
Thu Jun 18 11:46:11 PDT 2015 

Right.  The ³logs² directory has compressed versions of the files that are
under ³current² but all I¹m seeing under current are the 5 logs which do
not map to the naming scheme in the archived directories.

-Andrew

On 6/18/15, 1:23 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:

>The directory "spool/manager" is where the current (i.e., active) logs
>are located.  The "logs" directory is where the archived logs are
>located.  Logs are archived according to the log rotation interval
>specified in your configuration.
>
>
>On 06/18/2015 01:13 PM, Duba, Andrew wrote:
>> I¹m running bro in my test environment and if I do an ls on the
>> directory where current logs are supposed to be stored I get this
>>
>> root at spot:/usr/local/bro/logs# ls /usr/local/bro/spool/manager
>>
>> communication.log  loaded_scripts.log  reporter.log  stderr.log
>>stdout.log
>>
>>
>>
>> If I run  an ls in one of the archived directories I get this
>>
>> 
>>app_stats.00:00:00-01:00:00.log.gzconn.06:00:00-07:00:00.log.gzdpd.07:00:
>>00-08:00:00.log.gzknown_services.00:00:00-01:00:00.log.gzreporter.12:49:5
>>6-12:58:35.log.gzssl.12:00:00-13:00:00.log.gz
>>
>> 
>>app_stats.01:00:00-02:00:00.log.gzconn.07:00:00-08:00:00.log.gzdpd.08:00:
>>00-09:00:00.log.gzknown_services.01:00:00-02:00:00.log.gzreporter.13:02:3
>>8-13:06:00.log.gztunnel.07:00:00-08:00:00.log.gz
>>
>> 
>>app_stats.02:00:00-03:00:00.log.gzconn.08:00:00-09:00:00.log.gzdpd.09:00:
>>00-10:00:00.log.gzknown_services.09:00:00-10:00:00.log.gzsnmp.00:00:00-01
>>:00:00.log.gztunnel.08:00:00-09:00:00.log.gz
>>
>> 
>>app_stats.03:00:00-04:00:00.log.gzconn.09:00:00-10:00:00.log.gzdpd.10:00:
>>00-11:00:00.log.gzknown_services.12:00:00-13:00:00.log.gzsnmp.01:00:00-02
>>:00:00.log.gztunnel.10:00:00-11:00:00.log.gz
>>
>> 
>>app_stats.04:00:00-05:00:00.log.gzconn.10:00:00-11:00:00.log.gzdpd.11:00:
>>00-12:00:00.log.gzloaded_scripts.12:45:56-12:58:35.log.gzsnmp.02:00:00-03
>>:00:00.log.gztunnel.11:00:00-12:00:00.log.gz
>>
>> 
>>app_stats.05:00:00-06:00:00.log.gzconn.11:00:00-12:00:00.log.gzdpd.12:00:
>>00-13:00:00.log.gzloaded_scripts.12:58:38-13:00:00.log.gzsnmp.03:00:00-04
>>:00:00.log.gztunnel.12:00:00-13:00:00.log.gz
>>
>> 
>>app_stats.06:00:00-07:00:00.log.gzconn.12:00:00-13:00:00.log.gzfiles.00:0
>>0:00-01:00:00.log.gznotice.00:00:00-01:00:00.log.gzsnmp.09:00:00-10:00:00
>>.log.gzweird.00:00:00-01:00:00.log.gz
>>
>> 
>>app_stats.07:00:00-08:00:00.log.gzconn-summary.00:00:00-01:00:00.log.gzfi
>>les.01:00:00-02:00:00.log.gznotice.01:00:00-02:00:00.log.gzsnmp.10:00:00-
>>11:00:00.log.gzweird.01:00:00-02:00:00.log.gz
>>
>> 
>>app_stats.08:00:00-09:00:00.log.gzconn-summary.01:00:00-02:00:00.log.gzfi
>>les.02:00:00-03:00:00.log.gznotice.02:00:00-03:00:00.log.gzsnmp.11:00:00-
>>12:00:00.log.gzweird.02:00:00-03:00:00.log.gz
>>
>> 
>>app_stats.09:00:00-10:00:00.log.gzconn-summary.02:00:00-03:00:00.log.gzfi
>>les.03:00:00-04:00:00.log.gznotice.03:00:00-04:00:00.log.gzsoftware.00:00
>>:00-01:00:00.log.gzweird.03:00:00-04:00:00.log.gz
>>
>> 
>>app_stats.10:00:00-11:00:00.log.gzconn-summary.03:00:00-04:00:00.log.gzfi
>>les.04:00:00-05:00:00.log.gznotice.04:00:00-05:00:00.log.gzsoftware.01:00
>>:00-02:00:00.log.gzweird.04:00:00-05:00:00.log.gz
>>
>> Š
>>
>>
>> Is there a configuration directive that I¹m missing?
>>
>> Thanks in advance for any help.
>>
>> -Andrew
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>

More information about the Bro mailing list