[Bro] http.log stops logging

Ben McDowall Ben.McDowall at spark.co.nz
Fri Aug 5 23:14:05 PDT 2016


Sorted now. Rebooted my guest that didn't work. Rebooted my host platform now all working. Strange as.

:) As you all were



Sent from my Samsung Galaxy smartphone.


-------- Original message --------
From: "Hoelzer, Dave" <dhoelzer at sans.org>
Date: 5/08/16 11:13 PM (GMT+12:00)
To: Ben McDowall <Ben.McDowall at spark.co.nz>, bro at bro.org
Subject: Re: [Bro] http.log stops logging

Just a thought... Are you sure that no one has changed the network around and that the HTTP traffic is still passing the bro sensor? If it creates the log then it sees something and is working (for the moment, assume correctly). If it saw nothing, no log.. Could someone have changed a path on you?


-------------------
David Hoelzer
Fellow, SANS Institute
Dean of Faculty, SANS Technology Institute


On August 4, 2016 at 9:41:08 PM, Ben McDowall (ben.mcdowall at spark.co.nz<mailto:ben.mcdowall at spark.co.nz>) wrote:
I have a weird condition going on in which Bro stops loging after the filesize of http hits 100 odd kb it just started happening the other morning (5am)

-rw-r--r-- 1 root root  107K Aug  5 00:00 http.23:00:00-00:00:00.log.gz
-rw-r--r-- 1 root root  107K Aug  4 23:00 http.22:00:00-23:00:00.log.gz
-rw-r--r-- 1 root root  107K Aug  4 22:00 http.21:00:00-22:00:00.log.gz
-rw-r--r-- 1 root root  106K Aug  4 21:00 http.20:00:00-21:00:00.log.gz
-rw-r--r-- 1 root root  107K Aug  4 20:00 http.19:00:00-20:00:00.log.gz
-rw-r--r-- 1 root root  107K Aug  4 19:00 http.18:00:00-19:00:00.log.gz
-rw-r--r-- 1 root root  108K Aug  4 18:00 http.17:00:00-18:00:00.log.gz
-rw-r--r-- 1 root root  108K Aug  4 17:00 http.16:00:00-17:00:00.log.gz
-rw-r--r-- 1 root root  107K Aug  4 16:00 http.15:00:00-16:00:00.log.gz
-rw-r--r-- 1 root root  107K Aug  4 15:00 http.14:00:00-15:00:00.log.gz
-rw-r--r-- 1 root root  106K Aug  4 14:00 http.13:00:00-14:00:00.log.gz
-rw-r--r-- 1 root root  106K Aug  4 13:00 http.12:00:00-13:00:00.log.gz
-rw-r--r-- 1 root root  107K Aug  4 12:00 http.11:00:00-12:00:00.log.gz
-rw-r--r-- 1 root root  109K Aug  4 11:00 http.10:00:00-11:00:00.log.gz
-rw-r--r-- 1 root root  110K Aug  4 10:00 http.09:00:00-10:00:00.log.gz
-rw-r--r-- 1 root root  110K Aug  4 09:00 http.08:00:00-09:00:00.log.gz
-rw-r--r-- 1 root root  112K Aug  4 08:00 http.07:00:00-08:00:00.log.gz
-rw-r--r-- 1 root root  110K Aug  4 07:00 http.06:00:00-07:00:00.log.gz
-rw-r--r-- 1 root root  476K Aug  4 06:00 http.05:00:00-06:00:00.log.gz
-rw-r--r-- 1 root root   30M Aug  4 05:00 http.04:00:00-05:00:00.log.gz
-rw-r--r-- 1 root root   34M Aug  4 04:00 http.03:00:00-04:00:00.log.gz
-rw-r--r-- 1 root root   34M Aug  4 03:00 http.02:00:00-03:00:00.log.gz
-rw-r--r-- 1 root root   40M Aug  4 02:00 http.01:00:00-02:00:00.log.gz
-rw-r--r-- 1 root root   45M Aug  4 01:00 http.00:00:00-01:00:00.log.gz

Has anyone else encountered this before? I have 3 workers as I load balance the traffic going to my server.
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160806/fb6aca36/attachment.html 


More information about the Bro mailing list