Take action on a notice?

I’m regularly seeing PacketFilter::Dropped_Packets notices in my logs, which I believe are related to an issue with the version of PF_RING that I’m using. I’m in the midst of getting it upgraded, but in the meantime I’d love to be able to take an automated action on these notices (i.e., automatically restart the worker process that’s dropping packets).

I know all the parts for doing this are in the archives somewhere, but would someone mind giving me at least the high-level steps? My brogramming is nascent at best…

Cheers,

Jesse

I use this, but it is for restarting workers that have completely
stopped processing packets:

*/5 * * * * root sleep 5 ; grep -s -P "\t0\t0\t0" /usr/local/bro/logs/current/capture_loss.log && restart_bro

restart_bro is just a script that uses broctl to restart bro and sends
notifications.

Hi Justin,

In fact my workers have completely stopped processing packets as well; I’ll look at this incantation and see if that works for me. Although I need to just solve the problem, I thought it might also be a good problem to force me into delving into the scripting language itself. :slight_smile:

Cheers,

Jesse