[Bro] Bro 2.5 and log rotation

James Lay jlay at slave-tothe-box.net
Thu Dec 22 05:49:47 PST 2016


I guess I'm in this boat as well.  Since my upgrade, bro will stop
rotating logs at some point.  I'm not running bro via broctl.  Here's
my process for log rotation:

local.bro:
        redef Log::default_rotation_interval = 86400 secs;
        redef Log::default_rotation_postprocessor_cmd = "archive-log";

broctl.cfg:
        LogRotationInterval = 86400

sudo /usr/local/bro/bin/broctl install

sudo ln -s /usr/local/bro/share/broctl/scripts/archive-log
/usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/broctl-config.sh
/usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/make-archive-name
/usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/expire-logs
/usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/delete-log
/usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/cflow-stats
/usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/stats-to-csv
/usr/local/bin/

This will work for a while.  But at some point it stops:

at the core I believe it's because bro, after sometime, won't respond
to a "normal" kill command.  A "sudo killall bro" will do nothing.
 Usually I'll "sudo killall bro", wait a minute, and then my spool
directory will be empty, I'll have an email with stats, and I'll have
my new archive directory.  I'll have to -9 it in order to get it to
stop,  I've restarted this morning and will see how many days it will
go.  Thank you.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161222/ce4362ce/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screenshot from 2016-12-22 05-58-45.png
Type: image/png
Size: 59878 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161222/ce4362ce/attachment-0001.bin 


More information about the Bro mailing list