[Bro] logs in bro/spool/manager not consistent with archived logs

Duba, Andrew andrew_duba at wustl.edu
Thu Jun 18 13:15:33 PDT 2015 

That’s the weird part. I have a complete set of conn logs that have been
archived (see below) and they have real data in them.
-rw-r--r-- 1 root root 1.5M Jun 18 01:00 conn.00:00:00-01:00:00.log.gz
-rw-r--r-- 1 root root 826K Jun 18 02:00 conn.01:00:00-02:00:00.log.gz
-rw-r--r-- 1 root root 443K Jun 18 03:00 conn.02:00:00-03:00:00.log.gz
-rw-r--r-- 1 root root 387K Jun 18 04:00 conn.03:00:00-04:00:00.log.gz
-rw-r--r-- 1 root root 312K Jun 18 05:00 conn.04:00:00-05:00:00.log.gz
-rw-r--r-- 1 root root 366K Jun 18 06:00 conn.05:00:00-06:00:00.log.gz
-rw-r--r-- 1 root root 501K Jun 18 07:00 conn.06:00:00-07:00:00.log.gz
-rw-r--r-- 1 root root 1.3M Jun 18 08:00 conn.07:00:00-08:00:00.log.gz
-rw-r--r-- 1 root root 1.5M Jun 18 09:00 conn.08:00:00-09:00:00.log.gz
-rw-r--r-- 1 root root 3.5M Jun 18 10:00 conn.09:00:00-10:00:00.log.gz
-rw-r--r-- 1 root root 3.6M Jun 18 11:00 conn.10:00:00-11:00:00.log.gz
-rw-r--r-- 1 root root 3.9M Jun 18 12:00 conn.11:00:00-12:00:00.log.gz
-rw-r--r-- 1 root root 6.4M Jun 18 13:00 conn.12:00:00-13:00:00.log.gz
-rw-r--r-- 1 root root 3.7M Jun 18 14:00 conn.13:00:00-14:00:00.log.gz
-rw-r--r-- 1 root root 4.1M Jun 18 15:00 conn.14:00:00-15:00:00.log.gz



But no current/conn.log.  This is a real head scratcher.

-Andrew

On 6/18/15, 2:40 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:

>There is no special setting needed to get Bro to log
>to conn.log.
>
>The "current" conn.log is the log that Bro is writing now,
>so if you don't see that file, then that would indicate that
>Bro hasn't written anything to that log since the last log
>rotation (by default, logs are rotated once per hour).
>However, it is quite unusual to not see a conn.log, which
>may indicate a problem with your setup.  If your Bro never
>writes to conn.log, then you would not see any archived
>conn.log either.
>
>
>
>On 06/18/2015 02:17 PM, Duba, Andrew wrote:
>> So why is it I’m not getting a conn.log in the "current" directory but
>>I’m
>> getting conn.xx:xx:xx-yy:yy:yy.log.gz in the archive directories?  Is
>> there some kind of a directive that I need to set that I’m missing?
>>
>> -Andrew
>>
>> On 6/18/15, 2:09 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:
>>
>>> Correct.  The naming convention used for the archived logs
>>> is to organize them by day (each day gets its own subdirectory under
>>> the "logs" directory), and the filename of each log contains
>>> the time range of that log.  For example, conn.06:00:00-07:00:00.log.gz
>>> is the conn.log for the time period 6:00am to 7:00am.
>>>
>>>
>>> On 06/18/2015 01:46 PM, Duba, Andrew wrote:
>>>> Right.  The ³logs² directory has compressed versions of the files that
>>>> are
>>>> under ³current² but all I¹m seeing under current are the 5 logs which
>>>>do
>>>> not map to the naming scheme in the archived directories.
>>>>
>>>> -Andrew
>>>>
>>>> On 6/18/15, 1:23 PM, "Daniel Thayer" <dnthayer at illinois.edu> wrote:
>>>>
>>>>> The directory "spool/manager" is where the current (i.e., active)
>>>>>logs
>>>>> are located.  The "logs" directory is where the archived logs are
>>>>> located.  Logs are archived according to the log rotation interval
>>>>> specified in your configuration.
>>>>>
>>>>>
>>>>> On 06/18/2015 01:13 PM, Duba, Andrew wrote:
>>>>>> I¹m running bro in my test environment and if I do an ls on the
>>>>>> directory where current logs are supposed to be stored I get this
>>>>>>
>>>>>> root at spot:/usr/local/bro/logs# ls /usr/local/bro/spool/manager
>>>>>>
>>>>>> communication.log  loaded_scripts.log  reporter.log  stderr.log
>>>>>> stdout.log
>>>>>>
>>>>>>
>>>>>>
>>>>>> If I run  an ls in one of the archived directories I get this
>>>>>>
>>>>>>
>>>>>>
>>>>>> 
>>>>>>app_stats.00:00:00-01:00:00.log.gzconn.06:00:00-07:00:00.log.gzdpd.07
>>>>>>:0
>>>>>> 0:
>>>>>>
>>>>>> 
>>>>>>00-08:00:00.log.gzknown_services.00:00:00-01:00:00.log.gzreporter.12:
>>>>>>49
>>>>>> :5
>>>>>> 6-12:58:35.log.gzssl.12:00:00-13:00:00.log.gz
>>>>>>
>>>>>>
>>>>>>
>>>>>> 
>>>>>>app_stats.01:00:00-02:00:00.log.gzconn.07:00:00-08:00:00.log.gzdpd.08
>>>>>>:0
>>>>>> 0:
>>>>>>
>>>>>> 
>>>>>>00-09:00:00.log.gzknown_services.01:00:00-02:00:00.log.gzreporter.13:
>>>>>>02
>>>>>> :3
>>>>>> 8-13:06:00.log.gztunnel.07:00:00-08:00:00.log.gz
>>>>>>
>>>>>>
>>>>>>
>>>>>> 
>>>>>>app_stats.02:00:00-03:00:00.log.gzconn.08:00:00-09:00:00.log.gzdpd.09
>>>>>>:0
>>>>>> 0:
>>>>>>
>>>>>> 
>>>>>>00-10:00:00.log.gzknown_services.09:00:00-10:00:00.log.gzsnmp.00:00:0
>>>>>>0-
>>>>>> 01
>>>>>> :00:00.log.gztunnel.08:00:00-09:00:00.log.gz
>>>>>>
>>>>>>
>>>>>>
>>>>>> 
>>>>>>app_stats.03:00:00-04:00:00.log.gzconn.09:00:00-10:00:00.log.gzdpd.10
>>>>>>:0
>>>>>> 0:
>>>>>>
>>>>>> 
>>>>>>00-11:00:00.log.gzknown_services.12:00:00-13:00:00.log.gzsnmp.01:00:0
>>>>>>0-
>>>>>> 02
>>>>>> :00:00.log.gztunnel.10:00:00-11:00:00.log.gz
>>>>>>
>>>>>>
>>>>>>
>>>>>> 
>>>>>>app_stats.04:00:00-05:00:00.log.gzconn.10:00:00-11:00:00.log.gzdpd.11
>>>>>>:0
>>>>>> 0:
>>>>>>
>>>>>> 
>>>>>>00-12:00:00.log.gzloaded_scripts.12:45:56-12:58:35.log.gzsnmp.02:00:0
>>>>>>0-
>>>>>> 03
>>>>>> :00:00.log.gztunnel.11:00:00-12:00:00.log.gz
>>>>>>
>>>>>>
>>>>>>
>>>>>> 
>>>>>>app_stats.05:00:00-06:00:00.log.gzconn.11:00:00-12:00:00.log.gzdpd.12
>>>>>>:0
>>>>>> 0:
>>>>>>
>>>>>> 
>>>>>>00-13:00:00.log.gzloaded_scripts.12:58:38-13:00:00.log.gzsnmp.03:00:0
>>>>>>0-
>>>>>> 04
>>>>>> :00:00.log.gztunnel.12:00:00-13:00:00.log.gz
>>>>>>
>>>>>>
>>>>>>
>>>>>> 
>>>>>>app_stats.06:00:00-07:00:00.log.gzconn.12:00:00-13:00:00.log.gzfiles.
>>>>>>00
>>>>>> :0
>>>>>>
>>>>>> 
>>>>>>0:00-01:00:00.log.gznotice.00:00:00-01:00:00.log.gzsnmp.09:00:00-10:0
>>>>>>0:
>>>>>> 00
>>>>>> .log.gzweird.00:00:00-01:00:00.log.gz
>>>>>>
>>>>>>
>>>>>>
>>>>>> 
>>>>>>app_stats.07:00:00-08:00:00.log.gzconn-summary.00:00:00-01:00:00.log.
>>>>>>gz
>>>>>> fi
>>>>>>
>>>>>> 
>>>>>>les.01:00:00-02:00:00.log.gznotice.01:00:00-02:00:00.log.gzsnmp.10:00
>>>>>>:0
>>>>>> 0-
>>>>>> 11:00:00.log.gzweird.01:00:00-02:00:00.log.gz
>>>>>>
>>>>>>
>>>>>>
>>>>>> 
>>>>>>app_stats.08:00:00-09:00:00.log.gzconn-summary.01:00:00-02:00:00.log.
>>>>>>gz
>>>>>> fi
>>>>>>
>>>>>> 
>>>>>>les.02:00:00-03:00:00.log.gznotice.02:00:00-03:00:00.log.gzsnmp.11:00
>>>>>>:0
>>>>>> 0-
>>>>>> 12:00:00.log.gzweird.02:00:00-03:00:00.log.gz
>>>>>>
>>>>>>
>>>>>>
>>>>>> 
>>>>>>app_stats.09:00:00-10:00:00.log.gzconn-summary.02:00:00-03:00:00.log.
>>>>>>gz
>>>>>> fi
>>>>>>
>>>>>> 
>>>>>>les.03:00:00-04:00:00.log.gznotice.03:00:00-04:00:00.log.gzsoftware.0
>>>>>>0:
>>>>>> 00
>>>>>> :00-01:00:00.log.gzweird.03:00:00-04:00:00.log.gz
>>>>>>
>>>>>>
>>>>>>
>>>>>> 
>>>>>>app_stats.10:00:00-11:00:00.log.gzconn-summary.03:00:00-04:00:00.log.
>>>>>>gz
>>>>>> fi
>>>>>>
>>>>>> 
>>>>>>les.04:00:00-05:00:00.log.gznotice.04:00:00-05:00:00.log.gzsoftware.0
>>>>>>1:
>>>>>> 00
>>>>>> :00-02:00:00.log.gzweird.04:00:00-05:00:00.log.gz
>>>>>>
>>>>>> Š
>>>>>>
>>>>>>
>>>>>> Is there a configuration directive that I¹m missing?
>>>>>>
>>>>>> Thanks in advance for any help.
>>>>>>
>>>>>> -Andrew
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Bro mailing list
>>>>>> bro at bro-ids.org
>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>

More information about the Bro mailing list