[Bro] logs in bro/spool/manager not consistent with archived logs

Daniel Thayer dnthayer at illinois.edu
Thu Jun 18 12:40:08 PDT 2015 

There is no special setting needed to get Bro to log
to conn.log.

The "current" conn.log is the log that Bro is writing now,
so if you don't see that file, then that would indicate that
Bro hasn't written anything to that log since the last log
rotation (by default, logs are rotated once per hour).
However, it is quite unusual to not see a conn.log, which
may indicate a problem with your setup.  If your Bro never
writes to conn.log, then you would not see any archived
conn.log either.



On 06/18/2015 02:17 PM, Duba, Andrew wrote:
> So why is it I’m not getting a conn.log in the "current" directory but I’m
> getting conn.xx:xx:xx-yy:yy:yy.log.gz in the archive directories?  Is
> there some kind of a directive that I need to set that I’m missing?
>
> -Andrew
>
> On 6/18/15, 2:09 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:
>
>> Correct.  The naming convention used for the archived logs
>> is to organize them by day (each day gets its own subdirectory under
>> the "logs" directory), and the filename of each log contains
>> the time range of that log.  For example, conn.06:00:00-07:00:00.log.gz
>> is the conn.log for the time period 6:00am to 7:00am.
>>
>>
>> On 06/18/2015 01:46 PM, Duba, Andrew wrote:
>>> Right.  The ³logs² directory has compressed versions of the files that
>>> are
>>> under ³current² but all I¹m seeing under current are the 5 logs which do
>>> not map to the naming scheme in the archived directories.
>>>
>>> -Andrew
>>>
>>> On 6/18/15, 1:23 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:
>>>
>>>> The directory "spool/manager" is where the current (i.e., active) logs
>>>> are located.  The "logs" directory is where the archived logs are
>>>> located.  Logs are archived according to the log rotation interval
>>>> specified in your configuration.
>>>>
>>>>
>>>> On 06/18/2015 01:13 PM, Duba, Andrew wrote:
>>>>> I¹m running bro in my test environment and if I do an ls on the
>>>>> directory where current logs are supposed to be stored I get this
>>>>>
>>>>> root at spot:/usr/local/bro/logs# ls /usr/local/bro/spool/manager
>>>>>
>>>>> communication.log  loaded_scripts.log  reporter.log  stderr.log
>>>>> stdout.log
>>>>>
>>>>>
>>>>>
>>>>> If I run  an ls in one of the archived directories I get this
>>>>>
>>>>>
>>>>>
>>>>> app_stats.00:00:00-01:00:00.log.gzconn.06:00:00-07:00:00.log.gzdpd.07:0
>>>>> 0:
>>>>>
>>>>> 00-08:00:00.log.gzknown_services.00:00:00-01:00:00.log.gzreporter.12:49
>>>>> :5
>>>>> 6-12:58:35.log.gzssl.12:00:00-13:00:00.log.gz
>>>>>
>>>>>
>>>>>
>>>>> app_stats.01:00:00-02:00:00.log.gzconn.07:00:00-08:00:00.log.gzdpd.08:0
>>>>> 0:
>>>>>
>>>>> 00-09:00:00.log.gzknown_services.01:00:00-02:00:00.log.gzreporter.13:02
>>>>> :3
>>>>> 8-13:06:00.log.gztunnel.07:00:00-08:00:00.log.gz
>>>>>
>>>>>
>>>>>
>>>>> app_stats.02:00:00-03:00:00.log.gzconn.08:00:00-09:00:00.log.gzdpd.09:0
>>>>> 0:
>>>>>
>>>>> 00-10:00:00.log.gzknown_services.09:00:00-10:00:00.log.gzsnmp.00:00:00-
>>>>> 01
>>>>> :00:00.log.gztunnel.08:00:00-09:00:00.log.gz
>>>>>
>>>>>
>>>>>
>>>>> app_stats.03:00:00-04:00:00.log.gzconn.09:00:00-10:00:00.log.gzdpd.10:0
>>>>> 0:
>>>>>
>>>>> 00-11:00:00.log.gzknown_services.12:00:00-13:00:00.log.gzsnmp.01:00:00-
>>>>> 02
>>>>> :00:00.log.gztunnel.10:00:00-11:00:00.log.gz
>>>>>
>>>>>
>>>>>
>>>>> app_stats.04:00:00-05:00:00.log.gzconn.10:00:00-11:00:00.log.gzdpd.11:0
>>>>> 0:
>>>>>
>>>>> 00-12:00:00.log.gzloaded_scripts.12:45:56-12:58:35.log.gzsnmp.02:00:00-
>>>>> 03
>>>>> :00:00.log.gztunnel.11:00:00-12:00:00.log.gz
>>>>>
>>>>>
>>>>>
>>>>> app_stats.05:00:00-06:00:00.log.gzconn.11:00:00-12:00:00.log.gzdpd.12:0
>>>>> 0:
>>>>>
>>>>> 00-13:00:00.log.gzloaded_scripts.12:58:38-13:00:00.log.gzsnmp.03:00:00-
>>>>> 04
>>>>> :00:00.log.gztunnel.12:00:00-13:00:00.log.gz
>>>>>
>>>>>
>>>>>
>>>>> app_stats.06:00:00-07:00:00.log.gzconn.12:00:00-13:00:00.log.gzfiles.00
>>>>> :0
>>>>>
>>>>> 0:00-01:00:00.log.gznotice.00:00:00-01:00:00.log.gzsnmp.09:00:00-10:00:
>>>>> 00
>>>>> .log.gzweird.00:00:00-01:00:00.log.gz
>>>>>
>>>>>
>>>>>
>>>>> app_stats.07:00:00-08:00:00.log.gzconn-summary.00:00:00-01:00:00.log.gz
>>>>> fi
>>>>>
>>>>> les.01:00:00-02:00:00.log.gznotice.01:00:00-02:00:00.log.gzsnmp.10:00:0
>>>>> 0-
>>>>> 11:00:00.log.gzweird.01:00:00-02:00:00.log.gz
>>>>>
>>>>>
>>>>>
>>>>> app_stats.08:00:00-09:00:00.log.gzconn-summary.01:00:00-02:00:00.log.gz
>>>>> fi
>>>>>
>>>>> les.02:00:00-03:00:00.log.gznotice.02:00:00-03:00:00.log.gzsnmp.11:00:0
>>>>> 0-
>>>>> 12:00:00.log.gzweird.02:00:00-03:00:00.log.gz
>>>>>
>>>>>
>>>>>
>>>>> app_stats.09:00:00-10:00:00.log.gzconn-summary.02:00:00-03:00:00.log.gz
>>>>> fi
>>>>>
>>>>> les.03:00:00-04:00:00.log.gznotice.03:00:00-04:00:00.log.gzsoftware.00:
>>>>> 00
>>>>> :00-01:00:00.log.gzweird.03:00:00-04:00:00.log.gz
>>>>>
>>>>>
>>>>>
>>>>> app_stats.10:00:00-11:00:00.log.gzconn-summary.03:00:00-04:00:00.log.gz
>>>>> fi
>>>>>
>>>>> les.04:00:00-05:00:00.log.gznotice.04:00:00-05:00:00.log.gzsoftware.01:
>>>>> 00
>>>>> :00-02:00:00.log.gzweird.04:00:00-05:00:00.log.gz
>>>>>
>>>>> Š
>>>>>
>>>>>
>>>>> Is there a configuration directive that I¹m missing?
>>>>>
>>>>> Thanks in advance for any help.
>>>>>
>>>>> -Andrew
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Bro mailing list
>>>>> bro at bro-ids.org
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>>
>>>
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

More information about the Bro mailing list