I’ve inherited a Bro 2.5.5 setup from someone else and am coming to it after it’s been running for a while without producing any conn or other protocol logs. I’ve tried restarting Bro and redeploying, but the only logs that get started are
communication.log
loaded_scripts.log
packet_filter.log
reporter.log
stats.log
stderr.log
stdout.log
weird.log
None of these logs are filling up with anything useful or indicating what the problem may be. The only useful message is “non_ip_packet_in_ethernet” in the weird.log. That seems to point to a network issue rather than a Bro issue, but I’d like to rule out a Bro issue first if possible. At one point this setup did produce useful logs but apparently it just stopped at some point and I’m not sure why. The only thing somewhat unique about this setup is that at one point it required me to use the setting ‘redef encap_hdr_size=10;’ to handle an incompatibility between Bro and a vlan technology this network uses. I’ve also verified that the taps that Bro is listening on are seeing actual traffic by using tshark, which is able to decode the protocols.
Any suggestions as to where to start and how to diagnose this?
Thanks,
Mark