[Bro] http.log stops logging

Azoff, Justin S jazoff at illinois.edu
Thu Aug 4 18:52:14 PDT 2016 

Does your reporter.log contain anything?  Is that the only log file that is having this problem?

What do those log files contain?  Is it normal logs up until a certain port, or is the only thing in the http.log a certain kind of request?  does the conn.log contain entries for all the http traffic you are missing?
 
-- 
- Justin Azoff

> On Aug 4, 2016, at 9:38 PM, Ben McDowall <Ben.McDowall at spark.co.nz> wrote:
> 
> I have a weird condition going on in which Bro stops loging after the filesize of http hits 100 odd kb it just started happening the other morning (5am)
>  
> -rw-r--r-- 1 root root  107K Aug  5 00:00 http.23:00:00-00:00:00.log.gz
> -rw-r--r-- 1 root root  107K Aug  4 23:00 http.22:00:00-23:00:00.log.gz
> -rw-r--r-- 1 root root  107K Aug  4 22:00 http.21:00:00-22:00:00.log.gz
> -rw-r--r-- 1 root root  106K Aug  4 21:00 http.20:00:00-21:00:00.log.gz
> -rw-r--r-- 1 root root  107K Aug  4 20:00 http.19:00:00-20:00:00.log.gz
> -rw-r--r-- 1 root root  107K Aug  4 19:00 http.18:00:00-19:00:00.log.gz
> -rw-r--r-- 1 root root  108K Aug  4 18:00 http.17:00:00-18:00:00.log.gz
> -rw-r--r-- 1 root root  108K Aug  4 17:00 http.16:00:00-17:00:00.log.gz
> -rw-r--r-- 1 root root  107K Aug  4 16:00 http.15:00:00-16:00:00.log.gz
> -rw-r--r-- 1 root root  107K Aug  4 15:00 http.14:00:00-15:00:00.log.gz
> -rw-r--r-- 1 root root  106K Aug  4 14:00 http.13:00:00-14:00:00.log.gz
> -rw-r--r-- 1 root root  106K Aug  4 13:00 http.12:00:00-13:00:00.log.gz
> -rw-r--r-- 1 root root  107K Aug  4 12:00 http.11:00:00-12:00:00.log.gz
> -rw-r--r-- 1 root root  109K Aug  4 11:00 http.10:00:00-11:00:00.log.gz
> -rw-r--r-- 1 root root  110K Aug  4 10:00 http.09:00:00-10:00:00.log.gz
> -rw-r--r-- 1 root root  110K Aug  4 09:00 http.08:00:00-09:00:00.log.gz
> -rw-r--r-- 1 root root  112K Aug  4 08:00 http.07:00:00-08:00:00.log.gz
> -rw-r--r-- 1 root root  110K Aug  4 07:00 http.06:00:00-07:00:00.log.gz
> -rw-r--r-- 1 root root  476K Aug  4 06:00 http.05:00:00-06:00:00.log.gz
> -rw-r--r-- 1 root root   30M Aug  4 05:00 http.04:00:00-05:00:00.log.gz
> -rw-r--r-- 1 root root   34M Aug  4 04:00 http.03:00:00-04:00:00.log.gz
> -rw-r--r-- 1 root root   34M Aug  4 03:00 http.02:00:00-03:00:00.log.gz
> -rw-r--r-- 1 root root   40M Aug  4 02:00 http.01:00:00-02:00:00.log.gz
> -rw-r--r-- 1 root root   45M Aug  4 01:00 http.00:00:00-01:00:00.log.gz
>  
> Has anyone else encountered this before? I have 3 workers as I load balance the traffic going to my server.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list