Weird Log rotation in Bro IDS 2.5 Beta

Zeek
1

Bro IDS was storing all of my files in the logs/current directory for the last couple of days. I restarted bro to see if the files would rotate into the proper directories instead I got this.

drwxr-xr-x 2 root root 36864 Nov 2 22:21 2000-00-
drwxr-xr-x 2 root root 4096 Nov 2 22:21 2000-25-
drwxr-xr-x 2 root root 4096 Nov 2 22:21 2000-33-
drwxr-xr-x 2 root root 4096 Nov 2 22:20 2000-35-
drwxr-xr-x 2 root root 4096 Nov 2 22:21 2000-36-
drwxr-xr-x 2 root root 4096 Nov 2 22:21 2010-22-
drwxr-xr-x 2 root root 4096 Nov 2 22:21 2011-27-
drwxr-xr-x 2 root root 4096 Nov 2 22:20 2011-37-
drwxr-xr-x 2 root root 4096 Oct 29 00:00 2016-10-28
drwxr-xr-x 2 root root 20480 Oct 30 00:00 2016-10-29
drwxr-xr-x 2 root root 20480 Oct 30 23:00 2016-10-30
drwxr-xr-x 2 root root 4096 Oct 31 22:54 2016-10-31
drwxr-xr-x 2 root root 4096 Nov 2 22:20 2031-32-
drwxr-xr-x 2 root root 4096 Nov 2 22:21 2039-49-
drwxr-xr-x 2 root root 4096 Nov 2 22:21 2057-18-
drwxr-xr-x 2 root root 4096 Nov 2 22:21 2057-19-
lrwxrwxrwx 1 root root 19 Nov 2 22:22 current → /data/bro/spool/bro

Anyone got any ideas why this happened?

Also I used “broctl deploy” first then that ran for a couple of days then I ran “broctl stop” that when the weirdness happened after I ran broctl deploy.

2

Are you writing your logs as JSON? If you are, are you doing something like this too?

  redef LogAscii::json_timestamps = JSON::TS_ISO8601;

.Seth

3

Wait, sorry. I emailed too quickly. I was asking those questions because they are related to a bug, but I see that you are running the 2.5 beta and the bug is fixed there. Are you making any changes to how you write out logs though? If you are, that could point to another instance of the same bug that we missed.

Thanks,
  .Seth

4

Yes I am writing logs as JSON. But I don’t have the ISO part on the end. What is the correct way that line should read and is that the fix?

5

Nope, that line I provided is not a fix. We fixed an issue related to timestamp rendering in the 2.5 release. Whatever problem you are encountering is unknown. Is anyone else on the list seeing issues like this?

  .Seth

6

OK please let me know if you need further information and if this qualifies as a bug.

Here is my redef I am using to write log files in JSON.
redef LogAscii::use_json = T;

From your line if I want to write the timestamp other than EPOCH then I should use the line you mentioned in addition to the redef I have.