[Bro] logs in bro/spool/manager not consistent with archived logs

Duba, Andrew andrew_duba at wustl.edu
Thu Jun 18 12:17:46 PDT 2015 

So why is it I’m not getting a conn.log in the "current" directory but I’m
getting conn.xx:xx:xx-yy:yy:yy.log.gz in the archive directories?  Is
there some kind of a directive that I need to set that I’m missing?

-Andrew

On 6/18/15, 2:09 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:

>Correct.  The naming convention used for the archived logs
>is to organize them by day (each day gets its own subdirectory under
>the "logs" directory), and the filename of each log contains
>the time range of that log.  For example, conn.06:00:00-07:00:00.log.gz
>is the conn.log for the time period 6:00am to 7:00am.
>
>
>On 06/18/2015 01:46 PM, Duba, Andrew wrote:
>> Right.  The ³logs² directory has compressed versions of the files that
>>are
>> under ³current² but all I¹m seeing under current are the 5 logs which do
>> not map to the naming scheme in the archived directories.
>>
>> -Andrew
>>
>> On 6/18/15, 1:23 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:
>>
>>> The directory "spool/manager" is where the current (i.e., active) logs
>>> are located.  The "logs" directory is where the archived logs are
>>> located.  Logs are archived according to the log rotation interval
>>> specified in your configuration.
>>>
>>>
>>> On 06/18/2015 01:13 PM, Duba, Andrew wrote:
>>>> I¹m running bro in my test environment and if I do an ls on the
>>>> directory where current logs are supposed to be stored I get this
>>>>
>>>> root at spot:/usr/local/bro/logs# ls /usr/local/bro/spool/manager
>>>>
>>>> communication.log  loaded_scripts.log  reporter.log  stderr.log
>>>> stdout.log
>>>>
>>>>
>>>>
>>>> If I run  an ls in one of the archived directories I get this
>>>>
>>>>
>>>> 
>>>>app_stats.00:00:00-01:00:00.log.gzconn.06:00:00-07:00:00.log.gzdpd.07:0
>>>>0:
>>>> 
>>>>00-08:00:00.log.gzknown_services.00:00:00-01:00:00.log.gzreporter.12:49
>>>>:5
>>>> 6-12:58:35.log.gzssl.12:00:00-13:00:00.log.gz
>>>>
>>>>
>>>> 
>>>>app_stats.01:00:00-02:00:00.log.gzconn.07:00:00-08:00:00.log.gzdpd.08:0
>>>>0:
>>>> 
>>>>00-09:00:00.log.gzknown_services.01:00:00-02:00:00.log.gzreporter.13:02
>>>>:3
>>>> 8-13:06:00.log.gztunnel.07:00:00-08:00:00.log.gz
>>>>
>>>>
>>>> 
>>>>app_stats.02:00:00-03:00:00.log.gzconn.08:00:00-09:00:00.log.gzdpd.09:0
>>>>0:
>>>> 
>>>>00-10:00:00.log.gzknown_services.09:00:00-10:00:00.log.gzsnmp.00:00:00-
>>>>01
>>>> :00:00.log.gztunnel.08:00:00-09:00:00.log.gz
>>>>
>>>>
>>>> 
>>>>app_stats.03:00:00-04:00:00.log.gzconn.09:00:00-10:00:00.log.gzdpd.10:0
>>>>0:
>>>> 
>>>>00-11:00:00.log.gzknown_services.12:00:00-13:00:00.log.gzsnmp.01:00:00-
>>>>02
>>>> :00:00.log.gztunnel.10:00:00-11:00:00.log.gz
>>>>
>>>>
>>>> 
>>>>app_stats.04:00:00-05:00:00.log.gzconn.10:00:00-11:00:00.log.gzdpd.11:0
>>>>0:
>>>> 
>>>>00-12:00:00.log.gzloaded_scripts.12:45:56-12:58:35.log.gzsnmp.02:00:00-
>>>>03
>>>> :00:00.log.gztunnel.11:00:00-12:00:00.log.gz
>>>>
>>>>
>>>> 
>>>>app_stats.05:00:00-06:00:00.log.gzconn.11:00:00-12:00:00.log.gzdpd.12:0
>>>>0:
>>>> 
>>>>00-13:00:00.log.gzloaded_scripts.12:58:38-13:00:00.log.gzsnmp.03:00:00-
>>>>04
>>>> :00:00.log.gztunnel.12:00:00-13:00:00.log.gz
>>>>
>>>>
>>>> 
>>>>app_stats.06:00:00-07:00:00.log.gzconn.12:00:00-13:00:00.log.gzfiles.00
>>>>:0
>>>> 
>>>>0:00-01:00:00.log.gznotice.00:00:00-01:00:00.log.gzsnmp.09:00:00-10:00:
>>>>00
>>>> .log.gzweird.00:00:00-01:00:00.log.gz
>>>>
>>>>
>>>> 
>>>>app_stats.07:00:00-08:00:00.log.gzconn-summary.00:00:00-01:00:00.log.gz
>>>>fi
>>>> 
>>>>les.01:00:00-02:00:00.log.gznotice.01:00:00-02:00:00.log.gzsnmp.10:00:0
>>>>0-
>>>> 11:00:00.log.gzweird.01:00:00-02:00:00.log.gz
>>>>
>>>>
>>>> 
>>>>app_stats.08:00:00-09:00:00.log.gzconn-summary.01:00:00-02:00:00.log.gz
>>>>fi
>>>> 
>>>>les.02:00:00-03:00:00.log.gznotice.02:00:00-03:00:00.log.gzsnmp.11:00:0
>>>>0-
>>>> 12:00:00.log.gzweird.02:00:00-03:00:00.log.gz
>>>>
>>>>
>>>> 
>>>>app_stats.09:00:00-10:00:00.log.gzconn-summary.02:00:00-03:00:00.log.gz
>>>>fi
>>>> 
>>>>les.03:00:00-04:00:00.log.gznotice.03:00:00-04:00:00.log.gzsoftware.00:
>>>>00
>>>> :00-01:00:00.log.gzweird.03:00:00-04:00:00.log.gz
>>>>
>>>>
>>>> 
>>>>app_stats.10:00:00-11:00:00.log.gzconn-summary.03:00:00-04:00:00.log.gz
>>>>fi
>>>> 
>>>>les.04:00:00-05:00:00.log.gznotice.04:00:00-05:00:00.log.gzsoftware.01:
>>>>00
>>>> :00-02:00:00.log.gzweird.04:00:00-05:00:00.log.gz
>>>>
>>>> Š
>>>>
>>>>
>>>> Is there a configuration directive that I¹m missing?
>>>>
>>>> Thanks in advance for any help.
>>>>
>>>> -Andrew
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>

More information about the Bro mailing list