Noticed that on certain restarts of bro-2.4-beta, logs arbitrarily disappear.
Restarts happen as
broctl check; broctl restart
broctl check; broctl restart --clean
or some variant - not precisely sure. But all log files for that duration of restarts are missing
I don't believe there is really anything new here (the way logs get archived
hasn't really changed since at least Bro 2.0), but for the next release
I'd like to change the way logs are archived to make the whole procedure
more robust and less confusing to the user (perhaps broctld could play
a role in this). I've added a small section to the broctl user manual
describing how a user could deal with this situation (hopefully that will
clear up some of the confusion).
I am not sure what specific crashes of bro is causing it but yes logs are not getting archived.
While, I have not manually been able to reproduce this, there is quite a few of this events which happened automatically since Jun 1st:
Logs got moved to ~/spool/tmp but never got archived:
Have you tried upgrading to the 2.4 release? (all but one of the timestamps in your comment are from before the official release of 2.4)
Aashish, one more ping on this before we close it.
Please close it!
If I encounter this again, I will request a new ticket !!!