I'm trying to troubleshoot some odd behavior. I stopped receiving hourly email summaries and logs stopped being moved and compressed at some point this afternoon; although new logs are still being started hourly and the old log being renamed.
As far as I can tell from the cron log the broctl cron job is running as scheduled. I tried running broctl cron manually, but no dice. It didn't see any hung processes from earlier cron jobs or any emails in the bro user's mailbox indicating something went awry. Does broctl cron produce any log output if it has trouble?
Actually, broctl cron doesn't do log rotation or hourly email summaries.
In fact, those happen even if broctl isn't running at all. When it's
time to do a log rotation, Bro itself (on the manager host) executes
a script
<prefix>/share/broctl/scripts/archive-log
and that script then executes a script
<prefix>/share/broctl/scripts/postprocessors/summarize-connections
that generates and emails the connection summary report.
So, I'd suggest making sure those scripts exist on your manager host,
check if you see any "archive-log" processes running in the background,
and then check if you're running out of disk space.
Thanks for clearing that up. It helps to be looking in the right place Only using about 11% of the disk space on the manager node and only 1% on the worker node. I don't see any archive-log processes running, but I've believe I've seen them in the process list after stopping my bro instance, so I think I have an idea what I'd see if they were running.
Gary Faulkner
UW Madison
Office of Campus Information Security
608-262-8591