[Bro] all broctl instances are running yet broctl status shows stopped

Daniel Thayer dnthayer at illinois.edu
Wed Mar 21 17:46:33 PDT 2018


On 3/21/18 5:58 AM, william de ping wrote:
> Hi Daniel,
> 
> Thanks
> 
> I have deleted another bro environment on that server and doubled 
> checked that there are no other broctl\bro executable besides the 
> work_dir and build_dir.
> 
> Yet this issue still occures.
> I run bro with a specific user and on "top" I see that bro is running 
> under that user, yet "./bin/broctl status" still returns that all 
> instances are stopped.
> 
> Any suggestions ?
> 
> Thanks again
> B


When you run "broctl diag", it will output the contents of several files
in the Bro working directory (this is the directory where bro is
running).  For example, it will show you the contents of the
".status" file and "stdout.log", and several other files.

If you don't see anything in the output, but you are sure that
bro is running (and producing logs), then that means
bro is running in a different directory.

Each installation of bro uses its own directory paths for
locations of the config files, working directory, executables, etc.
You can see these by running "broctl config".  You can check
if the output of "broctl config | grep spooldir" is the
parent directory of the directory where you are seeing bro
producing log files.



More information about the Bro mailing list