[Bro] http.log stops logging
Ben McDowall
Ben.McDowall at spark.co.nz
Fri Aug 5 23:14:05 PDT 2016
Sorted now. Rebooted my guest that didn't work. Rebooted my host platform now all working. Strange as.
:) As you all were
Sent from my Samsung Galaxy smartphone.
-------- Original message --------
From: "Hoelzer, Dave" <dhoelzer at sans.org>
Date: 5/08/16 11:13 PM (GMT+12:00)
To: Ben McDowall <Ben.McDowall at spark.co.nz>, bro at bro.org
Subject: Re: [Bro] http.log stops logging
Just a thought... Are you sure that no one has changed the network around and that the HTTP traffic is still passing the bro sensor? If it creates the log then it sees something and is working (for the moment, assume correctly). If it saw nothing, no log.. Could someone have changed a path on you?
-------------------
David Hoelzer
Fellow, SANS Institute
Dean of Faculty, SANS Technology Institute
On August 4, 2016 at 9:41:08 PM, Ben McDowall (ben.mcdowall at spark.co.nz<mailto:ben.mcdowall at spark.co.nz>) wrote:
I have a weird condition going on in which Bro stops loging after the filesize of http hits 100 odd kb it just started happening the other morning (5am)
-rw-r--r-- 1 root root 107K Aug 5 00:00 http.23:00:00-00:00:00.log.gz
-rw-r--r-- 1 root root 107K Aug 4 23:00 http.22:00:00-23:00:00.log.gz
-rw-r--r-- 1 root root 107K Aug 4 22:00 http.21:00:00-22:00:00.log.gz
-rw-r--r-- 1 root root 106K Aug 4 21:00 http.20:00:00-21:00:00.log.gz
-rw-r--r-- 1 root root 107K Aug 4 20:00 http.19:00:00-20:00:00.log.gz
-rw-r--r-- 1 root root 107K Aug 4 19:00 http.18:00:00-19:00:00.log.gz
-rw-r--r-- 1 root root 108K Aug 4 18:00 http.17:00:00-18:00:00.log.gz
-rw-r--r-- 1 root root 108K Aug 4 17:00 http.16:00:00-17:00:00.log.gz
-rw-r--r-- 1 root root 107K Aug 4 16:00 http.15:00:00-16:00:00.log.gz
-rw-r--r-- 1 root root 107K Aug 4 15:00 http.14:00:00-15:00:00.log.gz
-rw-r--r-- 1 root root 106K Aug 4 14:00 http.13:00:00-14:00:00.log.gz
-rw-r--r-- 1 root root 106K Aug 4 13:00 http.12:00:00-13:00:00.log.gz
-rw-r--r-- 1 root root 107K Aug 4 12:00 http.11:00:00-12:00:00.log.gz
-rw-r--r-- 1 root root 109K Aug 4 11:00 http.10:00:00-11:00:00.log.gz
-rw-r--r-- 1 root root 110K Aug 4 10:00 http.09:00:00-10:00:00.log.gz
-rw-r--r-- 1 root root 110K Aug 4 09:00 http.08:00:00-09:00:00.log.gz
-rw-r--r-- 1 root root 112K Aug 4 08:00 http.07:00:00-08:00:00.log.gz
-rw-r--r-- 1 root root 110K Aug 4 07:00 http.06:00:00-07:00:00.log.gz
-rw-r--r-- 1 root root 476K Aug 4 06:00 http.05:00:00-06:00:00.log.gz
-rw-r--r-- 1 root root 30M Aug 4 05:00 http.04:00:00-05:00:00.log.gz
-rw-r--r-- 1 root root 34M Aug 4 04:00 http.03:00:00-04:00:00.log.gz
-rw-r--r-- 1 root root 34M Aug 4 03:00 http.02:00:00-03:00:00.log.gz
-rw-r--r-- 1 root root 40M Aug 4 02:00 http.01:00:00-02:00:00.log.gz
-rw-r--r-- 1 root root 45M Aug 4 01:00 http.00:00:00-01:00:00.log.gz
Has anyone else encountered this before? I have 3 workers as I load balance the traffic going to my server.
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160806/fb6aca36/attachment.html
More information about the Bro
mailing list