[Bro] debugging script
Azoff, Justin S
jazoff at illinois.edu
Thu Aug 4 09:56:11 PDT 2016
> On Aug 4, 2016, at 12:21 PM, Johanna Amann <johanna at icir.org> wrote:
>
> Hi,
>
>> After changing the file contents, the new data doesn't seem to be making it
>> into the table. I tried adding print statements into the 'event entry' but
>> not sure where those prints are going. Where do the output of the print
>> statements go on a running system (i.e. a cluster)? Is there a way for me
>> add some debugging info into scripts i.e. printf like debugging? Any
>> pointers are much appreciated... thanks.
>
> When you are running with broctl, I think the print output goes into
> [install-base]/spool/[nodename]/stdout.log.
>
> So, e.g. [base]/spool/worker-1/stdout.log.
One gotcha with this (that has tripped me up an embarrassing number of times and as most recently as yesterday) is that those files are buffered.
If you only print a few lines, nothing will be written to stdout.log until bro stops. To fix that, you can just do
print("whatever");
flush_all();
Or if you are doing a lot of testing, have this in place:
event flush() {
flush_all();
schedule 5sec { flush() };
}
event bro_init() {
schedule 5sec { flush() };
}
I vaguely remember there is a way to just set all files to be non-buffered.. though hard flushing every few seconds probably is better for performance.
--
- Justin Azoff
More information about the Bro
mailing list