2

Is there anyway to see more debugging info with Bro / Zeek ? Here's what I know of so far.

  • Logs on Manager, & workers (Stderr.log, Stdout.log)
  • broctl status
  • broctl diag
  • broctl print, & peerstatus both hang, so are of no use for debugging
  • broctl top

I have a number of errors with my Bro installation, yet the logs show nothing is wrong. I assume there are some hidden debug flags or something, or some logs that can shed some light, but I can't find them.

  • broctl peerstatus hangs, as well as print
  • stderr, and stdout show no issues
  • Only logs are stats, reporter, cluster, broker, stderr, and stdout
  • No conn logs, or any of the others

I found this link about peerstatus hanging, which implies there is a way to turn on debugging in broccoli, just not sure that's the right path. http://mailman.icsi.berkeley.edu/pipermail/zeek/2016-December/011149.html

clarkej
  • 41
  • 5

1 Answers1

3

Yes, if you build your Zeek with --enable-debug, then there's an additional command-line option that lets you enable/disable several debug streams:

$ zeek --help
...
-B|--debug <dbgstreams>        | Enable debugging output for selected streams ('-B help' for help)

$ zeek -B help

Enable debug output into debug.log with -B <streams>.
<streams> is a comma-separated list of streams to enable.

Available streams:
  serial
  rules
  state
  chunkedio
  string
  notifiers
  main-loop
  dpd
  tm
  logging
  input
  threading
  file_analysis
  plugins
  zeekygen
  pktio
  broker
  scripts

  plugin-<plugin-name>   (replace '::' in name with '-'; e.g., '-B plugin-Bro-Netmap')

Pseudo streams
  verbose  Increase verbosity.
  all      Enable all streams at maximum verbosity.

For each of the streams you enable, you'll then find corresponding entries in debug.log:

$ zeek -B all -r test.pcap
$ head debug.log
         0.000000/1559682553.492973 [zeekygen] Made ScriptInfo base/init-bare.zeek
         0.000000/1559682553.492997 [scripts] Loading /home/christian/inst/opt/zeek/share/bro//base/init-bare.zeek
         0.000000/1559682553.493094 [serial] Write bool true [true]
         0.000000/1559682553.493099 [serial] bool SerialObj::Serialize(SerialInfo*) const [0x3668000, new pid 0, tid 528948]
         0.000000/1559682553.493103 [serial] -- Caching
         0.000000/1559682553.493105 [serial]    Write bool true [full]
         0.000000/1559682553.493122 [serial]    Write uint64 0 [pid]
         0.000000/1559682553.493126 [serial]    virtual bool EnumType::DoSerialize(SerialInfo*) const
         0.000000/1559682553.493128 [serial]       virtual bool BroType::DoSerialize(SerialInfo*) const
         0.000000/1559682553.493131 [serial]          virtual bool BroObj::DoSerialize(SerialInfo*) const
Christian
  • 1,499
  • 2
  • 12
  • 28