I have a simple Bro script that records SSL-related info to a own log.
The log is created with Log::create_stream, as described on this page: https://www.bro.org/sphinx/frameworks/logging.html.
When running Bro directly from command line with:
bro -C -b -i eth0 script.bro
The expected log file is written in the directory in which Bro is run
(together with some logs that are produced automatically, like ssl.log).
But when I try to do the same through a broctl setup, I dont get a log
any more. Here's my configuration:
- modified sites/local.bro to include only my script
- broctl config files are otherwise only slightly modified, using the
standard setup of a single, local node
- used broctl for deploying and starting node
It seems that the script is properly deployed to the node, at least the
diag command from broctl shows that the script got loaded (from the
spooling location). But I do not get the log that the script is supposed
to produce. All other logs (like ssl.log) are created ordinarily and are
found in the expected location.
My question is: do I miss something, is there a difference between the
scripts shipped with Bro and my deployed script that prevents it from
writing logs? Or is this most likely a bug?
Another question: what are the prerequisites of broctl? Apparently you
can build it without Broker and Broccoli, but then some commands from
broctl do not work.
Any help is appreciated,
Tobi
PS. I work with a slightly patched version of Bro, you'll find the patch
here: https://bro-tracker.atlassian.net/browse/BIT-1855. But it
shouldn't make a difference, it only adds an additional parameter to the
ssl_client_hello event. As explained previously, when running Bro from
command line, I do not have any issues, even with the patched version.
I have a simple Bro script that records SSL-related info to a own log.
The log is created with Log::create_stream, as described on this page: Logging Framework — Bro 2.6.1 documentation.
When running Bro directly from command line with:
bro -C -b -i eth0 script.bro
The expected log file is written in the directory in which Bro is run
(together with some logs that are produced automatically, like ssl.log).
But when I try to do the same through a broctl setup, I dont get a log
any more. Here's my configuration:
- modified sites/local.bro to include only my script
- broctl config files are otherwise only slightly modified, using the
standard setup of a single, local node
- used broctl for deploying and starting node
It seems that the script is properly deployed to the node, at least the
diag command from broctl shows that the script got loaded (from the
spooling location). But I do not get the log that the script is supposed
to produce. All other logs (like ssl.log) are created ordinarily and are
found in the expected location.
My question is: do I miss something, is there a difference between the
scripts shipped with Bro and my deployed script that prevents it from
writing logs? Or is this most likely a bug?
This sounds a bit odd and I am not really sure what you are doing wrong.
My first intuition would be to do a full stop of all nodes that broctl is
running, and then do a deploy again just to make sure that the logger,
manager, and worker nodes are really all running the same scripts.
Apart from that, to answer your question - the scripts that are shipped
with Bro are not handled differently from scripts that you write. They use
the exact same mechanics to create log files - so if it works for them it
should work for you.
It also is always worthwhile to check reporter.log for script error
messages that creep up.
Another question: what are the prerequisites of broctl? Apparently you
can build it without Broker and Broccoli, but then some commands from
broctl do not work.
Other people are probably more qualified to answer this question - but
currently Bro is typically built without broker support (one has to
specifically enable it) and with broccoli support. Without broccoli you
miss some features like being able to directly access the value of
variables; however the base functionality should still work.
This sounds a bit odd and I am not really sure what you are doing wrong.
My first intuition would be to do a full stop of all nodes that broctl is
running, and then do a deploy again just to make sure that the logger,
manager, and worker nodes are really all running the same scripts.
I did that several times, that was not the issue.
It also is always worthwhile to check reporter.log for script error
messages that creep up.
This was a good hint: it reported checksum errors. Since I explicitly
disabled checksums on the command line with -C, I added ignore_checksums
in bro.local and it worked. Probably I missed just the ssl_established
event that triggers the log write. This is weird, since the default SSL
analyzer makes use of it, too, and its log got written...