Hi,
In a cluster environment, in the HTTP log, for the same connection-id i.e same 4-tuple and UID, is it ok if the transaction depth field value is lower than the ten-depth of some of the lines that came before it? for example, I am seeing txns as shown below…
1515542375.578187 CGR1kN3pynC8a3GXK1 10.20.11.1 7867 10.20.11.120 9453 79 POST …
1515542387.701328 CGR1kN3pynC8a3GXK1 10.20.11.1 7867 10.20.11.120 9453 90 POST …
1515542354.674611 CGR1kN3pynC8a3GXK1 10.20.11.1 7867 10.20.11.120 9453 55 POST …
1515542382.015911 CGR1kN3pynC8a3GXK1 10.20.11.1 7867 10.20.11.120 9453 85 POST …
If you take a look at the timestamps in the log that you posted you will
notice that the transaction depth value is in the correct order if you
sort the log by timestamp.
Bro log files are generally not guaranteed to be well-odered - though I am
admittedly not 100% sure without looking into the http scripts why the
http.log sent by a single worker would be reordered like that
Are these logs being written with the normal "ascii" log writer? If they are, I don't have a sensible explanation yet for why they would be out of order like that and I've never seen that behavior.
