[Bro] local.bro causing memory leak

Jason Holmes jholmes at psu.edu
Thu Mar 22 09:32:50 PDT 2018 

We're streaming JSON versions of Bro logs into Splunk without an issue. 
Some pointers that may help:

1. Set your initCrcLength to something like 2048 in your monitor 
statement in your inputs.conf for Bro logs.  The default is 256 bytes, 
which can be too small to extend past the headers at the beginning of a 
Bro log for some log types.  If you don't do something like this, Splunk 
will get confused when logs rotate because it will find a log with a 
different name having the same CRC.  This could be why you're having 
issues with file renames on log rotation.

2. If you rotate your logs off to some other server for long term 
storage, keep a day or three local as well and have Splunk monitor those 
directories as well.  If you have the initCrcLength set, Splunk is smart 
enough to recognize that conn.log and conn-datestamp.log are the same 
thing if they have the same initCrcLength and won't reindex the rotated 
log.  On the other hand, if Splunk was down or had a log queued for 
batch processing and didn't get it before it was rotated, it'll pick it 
up from the archive directory.

We accomplish this by rotating to an archive directory on the same 
partition on the Bro manager.  That makes the rotate time almost nothing 
since the move is essentially a rename rather than moving all of those 
bytes of logs.  We then use a cron job with rsync to copy the files over 
to long term storage.  Another cron job removes files that are too old.

Example monitor statements:

[monitor:///path/to/your/bro/spool/manager/]
disabled = 0
sourcetype = json_bro
index = your_bro_index
initCrcLength = 2048
whitelist = (dns|notice|weird)_json.*\.log$

[monitor:///path/to/your/bro/spool/archive/20*/]
disabled = 0
sourcetype = json_bro
index = your_bro_index
initCrcLength = 2048
whitelist = (dns|notice|weird)_json.*\.log$

3. If you're moving a massive amount of Bro logs and are regularly 
falling behind, try a heavy forwarder rather than a universal forwarder 
and bump the number of parallelIngestionPipelines in your server.conf 
for your Bro node up.

Thanks,

--
Jason Holmes

On 3/20/18 4:11 PM, Benjamin Wood wrote:
> Thanks Seth.
> 
> The whole problem I'm trying to solve is steaming data into splunk. 
> Splunk forwarder's don't like it when filenames change, and the 
> artificial delay created by rotating logs adds too much latency. The 
> solution that was proposed was "don't rotate logs", and leave them in 
> place long enough for the forwarders to finish.
> 
> At this point I've got to step back and ask, "Am I doing it wrong?" This 
> problem has to have been solved by others. I'm certain there is a way to 
> stream my data to splunk that is better than this.
> 
> The file rotation and renaming functions give me enough to play with to 
> solve the problem using bro-script.
> 
> Thanks again for the feedback,
> Ben
> 
> On Tue, Mar 20, 2018 at 2:50 PM, Seth Hall <seth at corelight.com 
> <mailto:seth at corelight.com>> wrote:
> 
>     __
> 
>     On 19 Mar 2018, at 15:31, Benjamin Wood wrote:
> 
>         I'm running my cluster with broctl, and rotation is turned off
>         because I'm
>         naming files with a timestamp to begin with.
> 
>     Justin got your problem right. If you turn off file rotation, then
>     Bro is never closing any of these hourly logs. You have to be really
>     careful with how you use $path_func because you can easily get
>     yourself into hot water.
> 
>     Alternately you need to define a rotation interval and post
>     processor. Something like this...
> 
>     <i also trimmed out some of your code>
> 
>     |function my_log_post_processor(info: Log::RotationInfo): bool {
>     local ext = sub(info$fname,
>     /^[^\-]+-[0-9]+-[0-9]+-[0-9]+_[0-9]+\.[0-9]+\.[0-9]+\./, ""); # Move
>     file to name including both opening and closing time. local dst =
>     fmt("%s_%s_%s-%s.%s", info$path, strftime("%Y%m%d", info$open),
>     strftime("%H:%M:%S", info$open), strftime("%H:%M:%S%z", info$close),
>     ext); local cmd = fmt("/bin/mv %s %s/%s", info$fname, "/data/logs",
>     dst); system(cmd); return T; } event bro_init() { for ( id in
>     Log::active_streams ) { local filter = Log::get_filter(id,
>     "default"); filter$interv = 1hr; filter$postprocessor =
>     my_log_post_processor; Log::add_filter(id, filter); } } |
> 
>     Something like that will enable you to turn off log rotation in
>     broctl (but you'll lose some broctl niceties as well).
> 
>     .Seth
> 
>     --
>     Seth Hall * Corelight, Inc * www.corelight.com
>     <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.corelight.com&data=02%7C01%7Cjwh128%40psu.edu%7C791424b7915646c6fdd408d58e9fea7d%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C636571739851708847&sdata=3FMDF6dwHwzKkUtdK9WT0fn4W1x37NjZb9YyZIafm3Q%3D&reserved=0>
> 
> 
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmailman.ICSI.Berkeley.EDU%2Fmailman%2Flistinfo%2Fbro&data=02%7C01%7Cjwh128%40psu.edu%7C791424b7915646c6fdd408d58e9fea7d%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C636571739851708847&sdata=WPuthzDJXbZFwNUS5fSKYTqHHnNkuk7IqD1dsZFZoP4%3D&reserved=0
>

More information about the Bro mailing list