[Bro] Bro crashed this morning..

fatema bannatwala fatema.bannatwala at gmail.com
Sun Oct 23 14:00:03 PDT 2016 

Hi all,

So, it happened again, this morning around 6:55am.
Bro stopped at that time, don't really know why.
I got to know about this when I wanted to analyse traffic for a particular
IP around 11 and found out that we don't have any logs after 7am logged by
BRO :(
I quickly checked the status of bro on manager, and found that bro isn't
running.
I restarted bro from manager and all but one worker came up online, and bro
started normally, running with remaining nodes in the cluster.
This have happened before, when one of the workers will become unreachable
and bro stops.
I don't really know what happens first,i.e whether worker becomes offline
first and then bro stops, or vise versa.

I tried looking for some errors on the workers as well as on manager in :
/usr/local/bro/logs/brolog/spool/tmp/post-terminate-2016-10-23-15-40-10-2410-crash
dir but nothing useful, only some warnings in stderr.log like following:

warning in /usr/local/bro/2.4.1/share/bro/site/connStats.bro, line 39:
dangerous assignment of double to integral (ConnStats::out$EstinboundConns
= ConnStats::result[EstinboundConns]$sum)
warning in /usr/local/bro/2.4.1/share/bro/site/connStats.bro, line 40:
dangerous assignment of double to integral (ConnStats::out$EstoutboundConns
= ConnStats::result[EstoutboundConns]$sum)
listening on em1, capture length 8192 bytes

1477133753.104159 processing suspended
1477133753.104159 processing continued
1477133759.776854 Failed to open GeoIP Cityv6 database:
/usr/share/GeoIP/GeoIPCityv6.dat
1477133759.776854 Failed to open GeoIPv6 Country database:
/usr/share/GeoIP/GeoIPv6.dat

Is there anywhere else I can look also to diagnose the issue?
Is there any reason, bro will stop entirely if one of the workers become
offline for some reason?
Or the issue is completely else, and I am looking in completely wrong
direction.

Any help appreciated :)

Thanks,
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161023/b9931abc/attachment.html

More information about the Bro mailing list