[Bro] Bro crashed this morning..
fatema bannatwala
fatema.bannatwala at gmail.com
Mon Oct 24 12:26:43 PDT 2016
Hmm, that kinda makes sense.
Disabled the cron job of restart-bro, and will keep a check on bro on
manager for future.
Thanks Justin :)
On Mon, Oct 24, 2016 at 2:58 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:
>
> > On Oct 24, 2016, at 2:48 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > I have two crons currently in bro's crontab:
> > $ crontab -l
> > 0-59/5 * * * * /usr/local/bro/default/bin/broctl cron
> > 55 6 * * * /usr/local/bro/bin/restart-bro
> >
> > restart-bro is a small script that looks like this:
> >
> > /usr/local/bro/default/bin/broctl install
> > /usr/local/bro/default/bin/broctl restart
> >
> > The reason, I think, for having bro restart every morning at 6:55 is we
> pull down the intel feeds every morning at 6:45
> > that updates the files that bro monitors as input feeds for intel
> framework.
> > And I thought that Bro would not pick up new/updated input feeds unless
> restarted.
> >
> > Is that would be something causing bro to not restart?
> >
>
> You shouldn't have to restart bro for it to pull in updates from intel
> files.
>
> It's suspicious that you say bro crashed at 7am and that cron job runs at
> 6:55.
>
> It's possible that something went wrong during the restart and bro just
> ended up stopped. I could see 'broctl restart' leaving the cluster in an
> inconsistent state if it gets interrupted.
>
> I'd just remove that job (since intel files should auto update on their
> own) or try changing the time it runs at to 6:57, which should at least
> avoid it running at the same time as cron.
>
>
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161024/084117b4/attachment.html
More information about the Bro
mailing list