Hello all, I'm very new to bro and am having to learn and manage an existing implementation, which means I have to make sense of everything as I troubleshoot. If this is not the best place to ask for help, please feel free to correct me.
The instance I'm having issues with is a bro sensor. It collects logs and then sends them to Splunk. On 11/17, it stopped sending logs. I've spent the last couple of weeks trying to figure this out.
When I go to /nsm/bro/logs/ and /logs/current, there are no log files at all in the directories. On another sensor, when I go to these folders, I see log files that are named after the date (e.g. 2017-12-07). When I try to run broctl, it gives me the below error:
"Error: must run broctl on same machine as the standalone node. The standalone node has IP address 127.0.0.1 and this machine has IP addresses: 172.27.x.x (x are placeholders), fe80::1e98:ecff:fe15:d098"
I get that same error whenever I try to do anything with broctl, even stop it. When I go to the node.cfg file in /opt/bro, it displays this:
However, when I look at that file on the other sensor, it displays:
Just an FYI, the working sensor also sends logs to SecurityOnion so not sure if that has anything to do with the difference in node.cfg. The non-working sensor only sends logs to Splunk, which I have already verified the Splunk Forwarder is working properly.
I'm probably not giving you everything you need to help but please let me know what I can provide. I'm almost to the point where I want to just reinstall but it looks like I'm caught up in a manager-worker situation and I don't know enough about the architecture yet to feel comfortable taking that kind of action yet.
Is there anything I am missing that would help this? Nobody has been able to find out why the logs all of a sudden stopped and all we need is to get them going again. Thanks for any help you can offer!