logs in bro/spool/manager not consistent with archived logs

Zeek
1

I’m running bro in my test environment and if I do an ls on the directory where current logs are supposed to be stored I get this

root@spot:/usr/local/bro/logs# ls /usr/local/bro/spool/manager

communication.log loaded_scripts.log reporter.log stderr.log stdout.log

If I run an ls in one of the archived directories I get this

app_stats.00:00:00-01:00:00.log.gz conn.06:00:00-07:00:00.log.gz dpd.07:00:00-08:00:00.log.gz known_services.00:00:00-01:00:00.log.gz reporter.12:49:56-12:58:35.log.gz ssl.12:00:00-13:00:00.log.gz

app_stats.01:00:00-02:00:00.log.gz conn.07:00:00-08:00:00.log.gz dpd.08:00:00-09:00:00.log.gz known_services.01:00:00-02:00:00.log.gz reporter.13:02:38-13:06:00.log.gz tunnel.07:00:00-08:00:00.log.gz

app_stats.02:00:00-03:00:00.log.gz conn.08:00:00-09:00:00.log.gz dpd.09:00:00-10:00:00.log.gz known_services.09:00:00-10:00:00.log.gz snmp.00:00:00-01:00:00.log.gz tunnel.08:00:00-09:00:00.log.gz

app_stats.03:00:00-04:00:00.log.gz conn.09:00:00-10:00:00.log.gz dpd.10:00:00-11:00:00.log.gz known_services.12:00:00-13:00:00.log.gz snmp.01:00:00-02:00:00.log.gz tunnel.10:00:00-11:00:00.log.gz

app_stats.04:00:00-05:00:00.log.gz conn.10:00:00-11:00:00.log.gz dpd.11:00:00-12:00:00.log.gz loaded_scripts.12:45:56-12:58:35.log.gz snmp.02:00:00-03:00:00.log.gz tunnel.11:00:00-12:00:00.log.gz

app_stats.05:00:00-06:00:00.log.gz conn.11:00:00-12:00:00.log.gz dpd.12:00:00-13:00:00.log.gz loaded_scripts.12:58:38-13:00:00.log.gz snmp.03:00:00-04:00:00.log.gz tunnel.12:00:00-13:00:00.log.gz

app_stats.06:00:00-07:00:00.log.gz conn.12:00:00-13:00:00.log.gz files.00:00:00-01:00:00.log.gz notice.00:00:00-01:00:00.log.gz snmp.09:00:00-10:00:00.log.gz weird.00:00:00-01:00:00.log.gz

app_stats.07:00:00-08:00:00.log.gz conn-summary.00:00:00-01:00:00.log.gz files.01:00:00-02:00:00.log.gz notice.01:00:00-02:00:00.log.gz snmp.10:00:00-11:00:00.log.gz weird.01:00:00-02:00:00.log.gz

app_stats.08:00:00-09:00:00.log.gz conn-summary.01:00:00-02:00:00.log.gz files.02:00:00-03:00:00.log.gz notice.02:00:00-03:00:00.log.gz snmp.11:00:00-12:00:00.log.gz weird.02:00:00-03:00:00.log.gz

app_stats.09:00:00-10:00:00.log.gz conn-summary.02:00:00-03:00:00.log.gz files.03:00:00-04:00:00.log.gz notice.03:00:00-04:00:00.log.gz software.00:00:00-01:00:00.log.gz weird.03:00:00-04:00:00.log.gz

app_stats.10:00:00-11:00:00.log.gz conn-summary.03:00:00-04:00:00.log.gz files.04:00:00-05:00:00.log.gz notice.04:00:00-05:00:00.log.gz software.01:00:00-02:00:00.log.gz weird.04:00:00-05:00:00.log.gz

Is there a configuration directive that I’m missing?

Thanks in advance for any help.

-Andrew

2

The directory "spool/manager" is where the current (i.e., active) logs
are located. The "logs" directory is where the archived logs are
located. Logs are archived according to the log rotation interval
specified in your configuration.

3

Right. The ³logs² directory has compressed versions of the files that are
under ³current² but all I¹m seeing under current are the 5 logs which do
not map to the naming scheme in the archived directories.

-Andrew

4

Correct. The naming convention used for the archived logs
is to organize them by day (each day gets its own subdirectory under
the "logs" directory), and the filename of each log contains
the time range of that log. For example, conn.06:00:00-07:00:00.log.gz
is the conn.log for the time period 6:00am to 7:00am.

5

So why is it I’m not getting a conn.log in the "current" directory but I’m
getting conn.xx:xx:xx-yy:yy:yy.log.gz in the archive directories? Is
there some kind of a directive that I need to set that I’m missing?

-Andrew

6

There is no special setting needed to get Bro to log
to conn.log.

The "current" conn.log is the log that Bro is writing now,
so if you don't see that file, then that would indicate that
Bro hasn't written anything to that log since the last log
rotation (by default, logs are rotated once per hour).
However, it is quite unusual to not see a conn.log, which
may indicate a problem with your setup. If your Bro never
writes to conn.log, then you would not see any archived
conn.log either.

7

That’s the weird part. I have a complete set of conn logs that have been
archived (see below) and they have real data in them.
-rw-r--r-- 1 root root 1.5M Jun 18 01:00 conn.00:00:00-01:00:00.log.gz
-rw-r--r-- 1 root root 826K Jun 18 02:00 conn.01:00:00-02:00:00.log.gz
-rw-r--r-- 1 root root 443K Jun 18 03:00 conn.02:00:00-03:00:00.log.gz
-rw-r--r-- 1 root root 387K Jun 18 04:00 conn.03:00:00-04:00:00.log.gz
-rw-r--r-- 1 root root 312K Jun 18 05:00 conn.04:00:00-05:00:00.log.gz
-rw-r--r-- 1 root root 366K Jun 18 06:00 conn.05:00:00-06:00:00.log.gz
-rw-r--r-- 1 root root 501K Jun 18 07:00 conn.06:00:00-07:00:00.log.gz
-rw-r--r-- 1 root root 1.3M Jun 18 08:00 conn.07:00:00-08:00:00.log.gz
-rw-r--r-- 1 root root 1.5M Jun 18 09:00 conn.08:00:00-09:00:00.log.gz
-rw-r--r-- 1 root root 3.5M Jun 18 10:00 conn.09:00:00-10:00:00.log.gz
-rw-r--r-- 1 root root 3.6M Jun 18 11:00 conn.10:00:00-11:00:00.log.gz
-rw-r--r-- 1 root root 3.9M Jun 18 12:00 conn.11:00:00-12:00:00.log.gz
-rw-r--r-- 1 root root 6.4M Jun 18 13:00 conn.12:00:00-13:00:00.log.gz
-rw-r--r-- 1 root root 3.7M Jun 18 14:00 conn.13:00:00-14:00:00.log.gz
-rw-r--r-- 1 root root 4.1M Jun 18 15:00 conn.14:00:00-15:00:00.log.gz

But no current/conn.log. This is a real head scratcher.

-Andrew