debugging script

Zeek
1

Hi,
I am trying to debug a bro script. In my script I am trying to load a table and reference the table contents. This is working correctly as expected. I want to verify if the re-reading of the table is working correctly or not. I’ve set the mode to REREAD in the add_table call.

After changing the file contents, the new data doesn’t seem to be making it into the table. I tried adding print statements into the ‘event entry’ but not sure where those prints are going. Where do the output of the print statements go on a running system (i.e. a cluster)? Is there a way for me add some debugging info into scripts i.e. printf like debugging? Any pointers are much appreciated… thanks.

Dk

2

Hi,

After changing the file contents, the new data doesn't seem to be making it
into the table. I tried adding print statements into the 'event entry' but
not sure where those prints are going. Where do the output of the print
statements go on a running system (i.e. a cluster)? Is there a way for me
add some debugging info into scripts i.e. printf like debugging? Any
pointers are much appreciated... thanks.

When you are running with broctl, I think the print output goes into
[install-base]/spool/[nodename]/stdout.log.

So, e.g. [base]/spool/worker-1/stdout.log.

Generally, if something odd happens with the input framework, looking at
reporter.log also always is a good idea; if the input framework stops
reading from a specified stream, it always logs the errors there.

I hope this helps,
Johanna

3

One gotcha with this (that has tripped me up an embarrassing number of times and as most recently as yesterday) is that those files are buffered.

If you only print a few lines, nothing will be written to stdout.log until bro stops. To fix that, you can just do

    print("whatever");
    flush_all();

Or if you are doing a lot of testing, have this in place:

event flush() {
  flush_all();
  schedule 5sec { flush() };
}

event bro_init() {
  schedule 5sec { flush() };
}

I vaguely remember there is a way to just set all files to be non-buffered.. though hard flushing every few seconds probably is better for performance.

4

Thanks Johanna, Justin,
flush_all helped.

Bhasker.