On 12/03/2009 10:48 AM, Robin Sommer wrote:
(To extend my earlier note about the cluster
configuration setting a
few defaults differently: that's the case for a number features we
have added to Bro in the past that are in some way incompatible with
older Bro installations, like changes in log format. We have rarely
turned these on per default to not break anything. The cluster now
flips over some of these switches to get the new behaviour for new
installations. Another example for that are DPD-based conn.logs: the
service field in conn.log is now determined via DPD so you may for
example now see "ssh" there for an SSH session on port 80, while the
standard Bro default would still say "http".)
There shouldn't be a difference though between broctl's cluster and
standlone modes in this regard. I've just checked this for
use_tagging setting, and that's enabled by default in the standlone
setting as well now; it might not have in earlier versions.
Thanks for explaining how that works.
I don't think the differences in the output
format is (directly)
linked to the missing ServerFounds. There must be another reason why
you're seeing less. Have you looked at notice.log whether there are
more ServerFounds in there? If yes, then they are filtered out
somewhere before they reach alarm.log; if not, then they are not
generated in the first place.
Yes, there are fewer showing up in the notice.log as well. When I get a
chance, I'll try rolling back to an older version, and see if there is a
difference. We also moved our SPAN port from a core-to-core link to a
Internet-to-core link. That may have caused a difference, but I had
expected to see more ServerFounds.