[Bro] Where is my conn.log?

[Mark Krenz]

I've inherited a Bro 2.5.5 setup from someone else and am coming to it 
after it's been running for a while without producing any conn or other 
protocol logs.  I've tried restarting Bro and redeploying, but the only 
logs that get started are

communication.log
loaded_scripts.log
packet_filter.log
reporter.log
stats.log
stderr.log
stdout.log
weird.log

None of these logs are filling up with anything useful or indicating 
what the problem may be. The only useful message is 
"non_ip_packet_in_ethernet" in the weird.log. That seems to point to a 
network issue rather than a Bro issue, but I'd like to rule out a Bro 
issue first if possible. At one point this setup did produce useful logs 
but apparently it just stopped at some point and I'm not sure why. The 
only thing somewhat unique about this setup is that at one point it 
required me to use the setting 'redef encap_hdr_size=10;' to handle an 
incompatibility between Bro and a vlan technology this network uses. 
I've also verified that the taps that Bro is listening on are seeing 
actual traffic by using tshark, which is able to decode the protocols.

Any suggestions as to where to start and how to diagnose this?

Thanks,

Mark

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181112/c41d3077/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4146 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181112/c41d3077/attachment.bin