Log rotation and /dev/null with broctl

I receive some unexplainable errors using broctl:

19 Oct 04:42:55 [output] /usr/local/share/broctl/scripts/archive-log: line 49: /home2/bro-logs/2010-10-16//dev/null.07:52:18-00:00:00.gz: No such file or directory
19 Oct 04:42:55 [output] 1287253800.000380 run-time error: rotate_file: can't move /dev/null to /dev/null.3123.1287253800.000380.tmp: File exists
19 Oct 04:42:55 [output] /usr/local/share/broctl/scripts/archive-log: line 49: /home2/bro-logs/2010-10-16//dev/null.07:52:18-00:00:00.gz: No such file or directory
19 Oct 04:42:55 [output] /usr/local/share/broctl/scripts/archive-log: line 49: /home2/bro-logs/2010-10-17//dev/null.00:00:00-00:00:00.gz: No such file or directory
19 Oct 04:42:55 [output] 1287340200.000090 run-time error: rotate_file: can't move /dev/null to /dev/null.3123.1287340200.000090.tmp: File exists
19 Oct 04:42:55 [output] /usr/local/share/broctl/scripts/archive-log: line 49: /home2/bro-logs/2010-10-16//dev/null.07:52:18-00:00:00.gz: No such file or directory

My broctl.cfg is pretty standard, with the only big difference being the change
of the log directory:

   LogDir = /home2/bro-logs

This is also weird:

    % file /dev/null
    /dev/null: ASCII text
    % more /dev/null
    title

It almost seems that broctl overwrote /dev/null. Does that make any
sense?

   Matthias

seen this happen when redirection goes bad:

Instead of

rm my_file >/dev/null

the redirection is accidentally missed:

rm my_file /dev/null
(obviously only works with privs in /dev)

then the next process redirecting to /dev/null creates a text file.

Do you have open_log_file("/dev/null") somewhere in one of your policy
scripts? I don't think that sort of thing works, instead you need to
immediately close a file after opening it...

Do you have open_log_file("/dev/null") somewhere in one of your policy
scripts?

Indeed, I could find the following

    # Save us some disk I/O.
    redef notice_file = open("/dev/null");
    redef bro_alarm_file = open("/dev/null");
    redef Weird::weird_file = open("/dev/null");

which I replaced with

    event bro_init()
    {
        close(notice_file);
        close(bro_alarm_file);
        close(Weird::weird_file);
    }

to get rid of the error. Thanks for the hint.

   Matthias

We should check for that. Can you file a ticket to remember it?

Thanks,

Robin

We should check for that. Can you file a ticket to remember it?

Done.

   Matthias

It would be good to have some good clarification on how *not* to print to log files. I've been doing the close() trick in my logging framework for a long time but you and Vern both agreed that using close() probably isn't the right way to do it. It works really well in this situation though because it does prevent remote printing as well as local printing.

  .Seth