[Bro] bro logs stopped

Debary, Travis Travis.Debary at pharmerica.com
Thu Dec 7 10:37:32 PST 2017 

Good afternoon all,

Hello all, I'm new to bro and am having to learn and manage an existing implementation, which means I have to make sense of everything as I troubleshoot. If this is not the best place to ask for help, I apologize and please feel free to correct me.

I'm having an issue with a sensor that collects bro logs and then sends them to Splunk.  On 11/17, it stopped sending logs and I've spent the last couple of weeks trying to figure this out.

When I go to /nsm/bro/logs/ and /current, there are no log files at all in the directories. On another sensor that is working, when I go to these folders, I see log files that are named after the date (e.g. 2017-12-07).

When I try to run broctl on the nonworking sensor, it gives me the below error:

"Error: must run broctl on same machine as the standalone node. The standalone node has IP address 127.0.0.1 and this machine has IP addresses: 172.27.x.x (x are placeholders), fe80::1e98:ecff:fe15:d098"

I get that same error whenever I try to do anything with broctl, even stop it.  Since it's giving the loopback address, I'm not sure why it recognizes it as a different machine.

When I go to the node.cfg file in /opt/bro, it displays this:
[bro]
type=standalone
host=localhost
interface=eth0

However, when I look at that file on the other sensor that is working, it displays:
[manager]
type=manager
host=localhost

[proxy]
type=proxy
host=localhost

[nsmsen04-eth1]
type=worker
host=localhost
interface=eth1
lb_method=pf_ring
lb_procs=1

Just an FYI, the working sensor also sends logs to SecurityOnion so not sure if that has anything to do with the difference in node.cfg. The nonworking sensor only sends logs to Splunk, which I have already verified the Splunk Forwarder is working properly.

Is there anything I am missing that would fix this? I'm probably not giving you everything you need to help but please let me know what else I can provide that would assist.

  *   Travis

Confidentiality Notice: This email and its attachments may contain privileged and confidential information and/or protected health information (PHI) intended solely for the recipient(s) named above.  If you are not the recipient, or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, dissemination, distribution, printing or copying of this email message and/or any attachments is strictly prohibited.  If you have received this transmission in error, please notify the sender immediately and permanently delete this email and any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171207/3d8284e0/attachment.html

More information about the Bro mailing list