Log file issues

Aaron_Haycraft · August 24, 2015, 4:44pm

Good afternoon everyone,

My name is Aaron Haycraft. I am attempting to work with Bro for a project and I am having some
issues. I am running Bro from the command line on a Fedora machine, and I want to run a lot of PCAP files through it. For example, the lines of code I run are “bro -r test.pcap” and “bro -r test2.pcap”, and so on. However, when I do so, the logs seem to overwrite after awhile and I lose a lot of data. I know that when Bro runs, it stores the logs in the local directory, but after the log gets full, it goes somewhere that I don’t know. Is there anyway to get around this, such that everything goes into one big log file?

Thank you for your time,

Aaron H.

robin · August 24, 2015, 5:44pm

When you run Bro from the command line, everything in the trace you
give to an invocation will end up in a single set of logs files inside
the current directory. But if you then restart Bro with a different
trace, these logs will be overwritten with new ones (i.e., Bro won't
append the new data). You'll either need move them away before you
start the new Bro, or you could concanate all your traces into one
pcap stream on stdin and have Bro read from "-" (tcpslice and mergecap
can both do that).

Robin

Topic		Replies	Views
BRO: the log files aren't the same every time Zeek	2	77	May 6, 2022
About the question that Bro will lost the logs every time When execute ”bro -r xxx.pcap" Zeek	2	83	May 6, 2022
Overwriting logs Zeek	3	71	May 6, 2022
log rotation Zeek	2	98	May 6, 2022
trouble of running multiple bro instances Zeek	2	81	May 6, 2022

Log file issues

Related topics