Logs disappearing on broctl restart


Noticed that on certain restarts of bro-2.4-beta, logs arbitrarily disappear.

Restarts happen as

  • broctl check; broctl restart

  • broctl check; broctl restart --clean

  • broctl restart

or some variant - not precisely sure. But all log files for that duration of restarts are missing




Daniel Thayer
May 26, 2015, 4:47 PM

I don't believe there is really anything new here (the way logs get archived
hasn't really changed since at least Bro 2.0), but for the next release
I'd like to change the way logs are archived to make the whole procedure
more robust and less confusing to the user (perhaps broctld could play
a role in this). I've added a small section to the broctl user manual
describing how a user could deal with this situation (hopefully that will
clear up some of the confusion).

Aashish Sharma
June 14, 2015, 4:46 PM

Issue Remains.

I am not sure what specific crashes of bro is causing it but yes logs are not getting archived.

While, I have not manually been able to reproduce this, there is quite a few of this events which happened automatically since Jun 1st:

Logs got moved to ~/spool/tmp but never got archived:

36G post-terminate-2015-06-02-13-50-24-6473-crash
9.4G post-terminate-2015-06-03-15-05-04-18332-crash
11G post-terminate-2015-06-05-15-05-05-12274-crash
9.4G post-terminate-2015-06-08-15-05-45-71408-crash
11G post-terminate-2015-06-11-15-05-45-5191-crash

Daniel Thayer
June 17, 2015, 8:07 PM

Have you tried upgrading to the 2.4 release? (all but one of the timestamps in your comment are from before the official release of 2.4)

Seth Hall
September 4, 2015, 11:51 AM

Aashish, one more ping on this before we close it.

Aashish Sharma
September 4, 2015, 4:13 PM

Please close it!

If I encounter this again, I will request a new ticket !!!


