Good afternoon all,
Hello all, I’m new to bro and am having to learn and manage an existing implementation, which means I have to make sense of everything as I troubleshoot. If this is not the best place to ask for help, I apologize and please feel free to correct me.
I’m having an issue with a sensor that collects bro logs and then sends them to Splunk. On 11/17, it stopped sending logs and I’ve spent the last couple of weeks trying to figure this out.
When I go to /nsm/bro/logs/ and /current, there are no log files at all in the directories. On another sensor that is working, when I go to these folders, I see log files that are named after the date (e.g. 2017-12-07).
When I try to run broctl on the nonworking sensor, it gives me the below error:
“Error: must run broctl on same machine as the standalone node. The standalone node has IP address 127.0.0.1 and this machine has IP addresses: 172.27.x.x (x are placeholders), fe80::1e98:ecff:fe15:d098”
I get that same error whenever I try to do anything with broctl, even stop it. Since it’s giving the loopback address, I’m not sure why it recognizes it as a different machine.
When I go to the node.cfg file in /opt/bro, it displays this:
[bro]
type=standalone
host=localhost
interface=eth0
However, when I look at that file on the other sensor that is working, it displays:
[manager]
type=manager
host=localhost
[proxy]
type=proxy
host=localhost
[nsmsen04-eth1]
type=worker
host=localhost
interface=eth1
lb_method=pf_ring
lb_procs=1
Just an FYI, the working sensor also sends logs to SecurityOnion so not sure if that has anything to do with the difference in node.cfg. The nonworking sensor only sends logs to Splunk, which I have already verified the Splunk Forwarder is working properly.
Is there anything I am missing that would fix this? I’m probably not giving you everything you need to help but please let me know what else I can provide that would assist.
- Travis