Cannot start BRO and deploy fails

[romerosergio]

System: Centos 7.4 fully updated rock cloned by git and ./deploy_rock.sh

TASK [Enable and start broctl] ***********************************************************************************************************************************************************************************************************
fatal: [simplerockbuild.simplerock.lan]: FAILED! => {"changed": false, "msg": "Unable to start service broctl: Job for broctl.service failed because a timeout was exceeded. See \"systemctl status broctl.service\" and \"journalctl -xe\" for details.\n"}
        to retry, use: --limit @/root/rock/playbooks/deploy-rock.retry

PLAY RECAP *******************************************************************************************************************************************************************************************************************************
**simplerockbuild.simplerock.lan : ok=73   changed=2    unreachable=0    failed=1**

[root@rock] systemctl status  broctl.service
● broctl.service - Bro Network Intrusion Detection System (NIDS)
   Loaded: loaded (/etc/systemd/system/broctl.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2018-05-18 07:37:26 UTC; 4min 10s ago
  Process: 4239 ExecStart=/opt/bro/bin/broctl deploy (code=exited, status=1/FAILURE)

[root@rock]# systemctl status  broctl.service
● broctl.service - Bro Network Intrusion Detection System (NIDS)
   Loaded: loaded (/etc/systemd/system/broctl.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Fri 2018-05-18 07:37:26 UTC; 4min 10s ago
  Process: 4239 ExecStart=/opt/bro/bin/broctl deploy (code=exited, status=1/FAILURE)

Messages:

May 18 07:37:26 rock broctl[4239]: manager scripts failed.
May 18 07:37:26 rock broctl[4239]: error in /opt/bro/share/bro/site/scripts/rock/plugins/kafka.bro, line 25: unknown identifier Kafka::logs_to_send, at or near "Kafka::logs_to_send"
May 18 07:37:26 rock broctl[4239]: proxy-1 scripts failed.
May 18 07:37:26 rock broctl[4239]: error in /opt/bro/share/bro/site/scripts/rock/plugins/kafka.bro, line 25: unknown identifier Kafka::logs_to_send, at or near "Kafka::logs_to_send"
May 18 07:37:26 rock broctl[4239]: ens224-1 scripts failed.
**May 18 07:37:26 rock broctl[4239]: error in /opt/bro/share/bro/site/scripts/rock/plugins/kafka.bro, line 25: unknown identifier Kafka::logs_to_send, at or near "Kafka::logs_to_send"**
May 18 07:37:26 rock systemd[1]: broctl.service: control process exited, code=exited status=1
May 18 07:37:26 rock systemd[1]: Failed to start Bro Network Intrusion Detection System (NIDS).
May 18 07:37:26 rock systemd[1]: Unit broctl.service entered failed state.
May 18 07:37:26 rock systemd[1]: broctl.service failed.

[wesleyraptor]

Update /opt/bro/lib/bro/plugins/Bro_Kafka/scripts/init.bro to include a constant for logs_to_send (line 4):

module Kafka;

export {
  const logs_to_send: set[Log::ID] &redef;
  const topic_name: string = "" &redef;
  const max_wait_on_shutdown: count = 3000 &redef;
  const tag_json: bool = F &redef;
  const kafka_conf: table[string] of string = table(
    ["metadata.broker.list"] = "localhost:9092"
  ) &redef;
  const json_timestamps: JSON::TimestampFormat = JSON::TS_EPOCH &redef;
}

It looks like the bro-plugin-kafka RPM that gets installed drops that file and it doesn't include that logs_to_send variable:

[root@bridged-rocknsm-v2 ~]# rpm -qf /opt/bro/lib/bro/plugins/Bro_Kafka/scripts/init.bro
bro-plugin-kafka-2.5-1.el7.centos.x86_64

Might have something to do with this commit? I'm not positive --> https://github.com/apache/metron-bro-plugin-kafka/commit/b145bf01f888591cbdf39ea663b34ae02254e0ea#diff-e40b343cebacb5b8a3edf6d7387b3b4c

[dcode]

@wesleyraptor that's a really good catch and I think that is what broke it. There's an updated RPM in the testing repo that should align with the upstream metron plugin. Can you try that to see if it fixes it for you?

[romerosergio]

Worked perfectly after that change, so i believe that's the issue and what broke it.

Thanks for the help