So…at some point in time, my bro crashed. I lost about 4 days worth of data. I checked syslogs and found no indication of this…is there any way to get a log or notification or something when this happens? Thank you.
James
Do you have a cron job installed to run the "broctl cron" command?
Also, you probably want to check that the cron command is enabled with "broctl cron ?"
.Seth
I'd neglected to add that in….thanks Seth!
James
And in the belt-and-suspenders approach, you probably want to monitor the status of the processes with Nagios, Zabbix, or some other system/host monitoring system. If my number of Bro processes drops below a certain figure, I get an email. Could be a page if I wanted it to be. And while you're configuring Bro monitoring, you might as well go ahead and monitor other things that can affect your monitor: free disk space, CPU, free RAM, dropped packets on the network interface, etc.
This doesn't help you *this* time, but if there's a next time, you'll at least find out about it before more than several days have gone by.
Mike