[Bro] bro logs stopped

Daniel Thayer dnthayer at illinois.edu
Thu Dec 7 11:48:30 PST 2017 

Which OS are you using?  Which version of Bro?


On 12/7/17 12:37 PM, Debary, Travis wrote:
> Good afternoon all,
> 
> Hello all, I'm new to bro and am having to learn and manage an existing 
> implementation, which means I have to make sense of everything as I 
> troubleshoot. If this is not the best place to ask for help, I apologize 
> and please feel free to correct me.
> 
> I’m having an issue with a sensor that collects bro logs and then sends 
> them to Splunk.  On 11/17, it stopped sending logs and I've spent the 
> last couple of weeks trying to figure this out.
> 
> When I go to /nsm/bro/logs/ and /current, there are no log files at all 
> in the directories. On another sensor that is working, when I go to 
> these folders, I see log files that are named after the date (e.g. 
> 2017-12-07).
> 
> When I try to run broctl on the nonworking sensor, it gives me the below 
> error:
> 
> "Error: must run broctl on same machine as the standalone node. The 
> standalone node has IP address 127.0.0.1 and this machine has IP 
> addresses: 172.27.x.x (x are placeholders), fe80::1e98:ecff:fe15:d098"
> 
> I get that same error whenever I try to do anything with broctl, even 
> stop it.  Since it's giving the loopback address, I'm not sure why it 
> recognizes it as a different machine.
> 
> When I go to the node.cfg file in /opt/bro, it displays this:
> [bro]
> type=standalone
> host=localhost
> interface=eth0
> 
> However, when I look at that file on the other sensor that is working, 
> it displays:
> [manager]
> type=manager
> host=localhost
> 
> [proxy]
> type=proxy
> host=localhost
> 
> [nsmsen04-eth1]
> type=worker
> host=localhost
> interface=eth1
> lb_method=pf_ring
> lb_procs=1
> 
> Just an FYI, the working sensor also sends logs to SecurityOnion so not 
> sure if that has anything to do with the difference in node.cfg. The 
> nonworking sensor only sends logs to Splunk, which I have already 
> verified the Splunk Forwarder is working properly.
> 
> Is there anything I am missing that would fix this? I'm probably not 
> giving you everything you need to help but please let me know what else 
> I can provide that would assist.
> 
>   * Travis

More information about the Bro mailing list