[Bro] broctl startup error

Allen, Brian brianallen at wustl.edu
Thu Aug 31 05:58:55 PDT 2017 

That helped!  In broctl.cfg I had to fix this line.  The single quotes were missing.


BroArgs = -f '(net 128.252.0.0/16 or net 65.254.96.0/19)’


But now when I start up the cluster (and it does start up which is good) the workers are all running at 100% which is not normal on these boxes.  Should be around 50%  That seems like pf_ring is not running, but I keep checking and pf_ring is installed and loaded.


Hyperthreading is still disabled.  That didn’t change after the upgrade.


What could have changed after the upgrade to cause the cpus to run at 100%?  I still think there is something wrong with pf_ring, but I’m not seeing it.  I just built another BRO cluster for our research network on ubuntu 14.04 servers and got pf_ring and bro running there no problem.


Thanks for your help,

-Brian


From: "Azoff, Justin S" <jazoff at illinois.edu<mailto:jazoff at illinois.edu>>
Date: Wednesday, August 30, 2017 at 7:46 PM
To: Brian Allen <brianallen at wustl.edu<mailto:brianallen at wustl.edu>>
Cc: Bro-Mailinglist <bro at bro.org<mailto:bro at bro.org>>
Subject: Re: [Bro] broctl startup error


On Aug 30, 2017, at 6:38 PM, Allen, Brian <BrianAllen at wustl.edu<mailto:BrianAllen at wustl.edu>> wrote:
Hi,
I just upgraded my BRO cluster machines from ubuntu 14.02 to 16.04.  I just installed the latest version of BRO on the manager.  All the machines in the cluster return this:
$ bro --version
bro version 2.5-294
But when I try to run broctl on the manager to start it up again, I get this error:
$ sudo broctl
Warning: the SitePolicyStandalone option is deprecated (use SitePolicyScripts instead).
Welcome to BroControl 1.7-7
Type "help" for help.
[BroControl] > check
manager scripts failed.
/bin/sh: 1: Syntax error: "(" unexpected


Well, that's a new one.. I wonder if you have a '(' in one of your settings..

Does

broctl config | grep '('

or

grep '^[^#].*(' -r /usr/local/bro/etc/

return anything?

I was able to reproduce a similar error by adding

    env_vars=foo=(bar

to the config.


--
- Justin Azoff



________________________________
The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170831/6eadfac2/attachment-0001.html

More information about the Bro mailing list