Hey all,
I posted about this last August here:
http://mailman.icsi.berkeley.edu/pipermail/bro/2014-August/007329.html
I also noticed someone have a disappearing log event which I have seen before as well here:
http://mailman.icsi.berkeley.edu/pipermail/bro/2015-January/007935.html
I documented my process on installing bro on Ubuntu 14.04 using just log rotation below:
sudo apt-get -y install cmake
sudo apt-get -y install python-dev
sudo apt-get -y install swig
cp /usr/local/bro/share/bro/site
cp /opt/bin/startbro <- command line bro with long --filter line
cp /opt/bin/startbro to /etc/rc.local
sudo ln -s /usr/local/bro/bin/bro /usr/local/bin/
sudo ln -s /usr/local/bro/bin/bro-cut /usr/local/bin/
sudo ln -s /usr/local/bro/bin/broctl /usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/archive-log /usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/broctl-config.sh /usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/create-link-for-log /usr/local/bin/
sudo ln -s /usr/local/bro/share/broctl/scripts/make-archive-name /usr/local/bin/
git clone [https://github.com/jonschipp/mal-dnssearch.git](https://github.com/jonschipp/mal-dnssearch.git)
sudo make install
specifics on log rotate only:
add the below to local.bro
redef Log::default_rotation_interval = 86400 secs;
redef Log::default_rotation_postprocessor_cmd = "archive-log";
edit the below in broctl.cfg
MailTo = [jlay@slave-tothe-box.net](mailto:jlay@slave-tothe-box.net)
LogRotationInterval = 86400
sudo /usr/local/bro/bin/broctl install
Besides the edits to broctl.cfg, file locations are the default. The above works well usually…it’s after a reboot I have found things go bad. Usually logs get rotated at midnight and I get an email with statistics, just what I need. I rebooted the machine on the 13, and that’s the last email or log rotation I got…this morning I see current has files and my logstash instance has data so I believe the rotation got…“stuck”. I’m kicking myself for not heading/tailing the files first, but after issuing a “sudo killall bro”, those file in current vanished, no directory was created, and I received no email, that data is now gone (no big deal as this is at home). I decided to run broctl install again, then start and kill bro one more time. At that point, I got a new directory with log rotation and an email with minutes or so of stats. Please let me know if there’s something I can do on my end to trouble shoot. Thank you.
James
Confirming that this method is no longer working. Heading my connlog file I see:
#open 2015-01-19-00-00-05
my /usr/local/bro/logs is completely missing Jan 18th. From my broctl.cfg:
SpoolDir = /usr/local/bro/spool
LogDir = /usr/local/bro/logs
LogRotationInterval = 86400
redef Log::default_rotation_interval = 86400 secs;
redef Log::default_rotation_postprocessor_cmd = “archive-log”;
Anything else I can do to debug this? Thank you.
James
Are you using broctl to start and stop Bro? What does /opt/bin/startbro
do?
Thanks for looking Daniel. I am starting this with the below:
/usr/local/bro/bin/bro --no-checksums -i eth0 -i ppp0 --filter '( large filter line here)' local "Site::local_nets += { 192.168.1.0/24 }"
I'm not using broctl. The only small portion that I am is for the log rotation as outlined in the email thread. After killing and starting bro yesterday, this morning at midnight logs got rotated and I got my report email. This appears to happen after a complete reboot of the device. It's very odd. Thanks again.
James
What command do you use to stop (or restart) Bro?
The classic: sudo killall bro 
when I have to do it manually. Then start with the command line above. Thanks again.
James
OK, since you're not using broctl to start/stop bro, here's
what happens:
When you stop bro, bro will rotate all log files (rename them with
a timestamp). Then, bro will spawn "archive-log" processes, one
per log file, to archive (i.e., copy or gzip to another directory)
each rotated log file. This can take some time, depending on the
log file size, and whether you're generating connection summary
reports or not. If the machine is rebooted while this is
happening, then one or more of the rotated logs might not get
archived (because the "archive-log" processes were killed before
they had a chance to finish).
Next time you boot your machine and start bro, the rotated logs will
still be there (unless you have some other script that removes that
directory), but they will never get archived automatically.
And, because the rotated log filenames contain a date/timestamp, they
will not be overwritten by new logs.
To avoid this issue when you want to reboot, I suggest stopping bro,
and then waiting for all the logs to finish being archived, then reboot.
Thanks Daniel,
So compressed the entire directory of log files is 7.5 megs…really small, so I don’t think it’s a question of getting stuck during compression (truth be told the box doing the bro-ing is sitting right next to the box I’m typing this email on…I can hear the drive whir away when I stop bro and it lasts maybe 30 seconds). Also, before reboot I manually stop bro…out of habit. My only thought is that maybe the path of /usr/local/bin/ where I’ve symlinked the additional scripts aren’t seen when my startbro script is run from /etc/rc.local file? In any case I can reproduce the behavior on reboot, so if there’s a way to debug this I’d love to give it a go. I’ll research the path thing on my end (Ubuntu 14.0.4) and I’ll try a) rebooting and starting bro manually and b) symlinking the script files to /usr/local/sbin/. I’ll report my findings for anyone else out there, but I kinda think most people are just using broctl anyways 
Thanks again Daniel.
James
One other thing to check is which directory you are starting Bro from,
because that's where Bro will create its log files (if you were
using broctl, this should be /usr/local/bro/spool/bro).
If you ever notice that you are missing logs in the archive directory
(a subdirectory of /usr/local/bro/logs), then you'll want to check
the directory where you were running Bro to see if it contains any
unarchived logs (if you were using broctl to start/stop bro, then
you'd also need to check all subdirectories of
/usr/local/bro/spool/tmp).
So I think I may have this resolved. Yesterday I noticed that two symlinks were bad:
create-link-for-log
make-archive-name
I’ve symlinked these correctly and rebooted. I manually started bro instead of having it start in /etc/rc.local. My last test when I need to reboot again will be to have bro autostart. Thanks all.
James