2.6.0-28 | 2025-08-26 08:56:46 -0700

  * update-changes: Also update doc/zeekctl.rst version (Arne Welzel, Corelight)

    Just to stay in sync with doc/main.rst in case there were no other
    changes to documentation, but a version bump.

  * github-workflows: Add job to check for doc changes (Arne Welzel, Corelight)

  * Update docs (Arne Welzel, Corelight)

2.6.0-24 | 2025-08-25 12:27:17 -0700

  * doc/main.rst: Add section added to doc/zeekctl.rst (Arne Welzel, Corelight)

  * Add MetricsAddress, update zeekctl.cfg.in with metrics options (Arne Welzel, Corelight)

    Closes #88

  * Fix typo in option name in docs (Tim Wojtulewicz, Corelight)

2.6.0-20 | 2025-07-25 11:55:15 -0700

  * Add section on log expiration and retention (Giuseppe)

2.6.0-18 | 2025-07-23 19:29:53 +0200

  * Add basic tests for ZeroMQ, UseWebSocket and using them together (Arne Welzel, Corelight)

  * Add WebSocket API support for interacting with nodes (Arne Welzel, Corelight)

    This introduces a new configuration option called UseWebsocket.
    If set, the manager node will spawn a WebSocket server and listen on
    WebSocketHost (default 127.0.0.1) and WebSocketPort (default 27759/tcp).

    Zeekctl will establish a short-lived WebSocket connection to the manager
    and publish command events to node specific topics, then waiting for the
    reply event from the corresponding node. That is, the manager just forwards
    events between Zeekctl and other nodes. This works for both cluster backends,
    Broker and ZeroMQ. When UseWebSocket is not set, there will be a warning
    that print and netstats will not function.

    This does not support TLS configuration for the WebSocket server. If you need
    this, put a proxy (nginx, caddy, traefik, ...) in front of Zeek and use the
    new WebSocketUrl setting of zeekctl.cfg to point it at the proxy with wss://.

    This functionality requires the Python package websockets with at least
    version 11.0. If that's not found and UseWebSocket is set, zeekctl will
    warn about the issue during startup.

  * Introduce ClusterBackend option to zeekctl.cfg and plugins (Arne Welzel, Corelight)

    This adds a new global ClusterBackend option and adds 3 new plugins.
    One for Broker, one for ZeroMQ, and one that ensures that the new
    internal ClusterTopicSeparator setting is set by a cluster backend
    and otherwise vetoes the install command with a descriptive message.

    The separator is used by the WebSocket code to construct node specific
    topics to publish to. For ZeroMQ this isn't exactly important as topics
    are just a sequence of bytes (same for Broker), but for other pub-sub
    systems, wild-card or prefix matching may only be possible on parts of
    the topic (e.g., NATS subject has a more rigid structure).

2.6.0-14 | 2025-07-09 12:32:57 -0700

  * Require C++20 for builds (Tim Wojtulewicz, Corelight)

2.6.0-11 | 2025-03-04 12:50:51 -0800

  * Re-generate docs. (Christian Kreibich, Corelight)

  * Don't write lines containing just indent whitespace during docs generation. (Christian Kreibich, Corelight)

  * GH-77: Fix broken links in the documentation (Christian Kreibich, Corelight)

  * Adjust comment for PrivateAddressSpaceIsLocal setting (Christian Kreibich, Corelight)

  * Fix docs generation for Python 3 era (Christian Kreibich, Corelight)

  * GH-72: In singlehost mode, don't use a telemetry port with ZEEKCTL_DISABLE_LISTEN (Christian Kreibich, Corelight)

  * Add btest environment to preserve the tests' build/testing/test.* temp dirs (Christian Kreibich, Corelight)

  * Add additional clarification on how this testsuite operates to README (Christian Kreibich, Corelight)

2.6.0-2 | 2025-01-13 08:16:57 -0700

  * Update command.print btest for additional public subnets (Tim Wojtulewicz)

2.6.0 | 2024-12-13 08:12:09 -0700

  * Updating submodule(s) [nomail] (Tim Wojtulewicz, Corelight)

2.5.0-76 | 2024-12-11 15:31:45 -0700

  * Remove old obsolete BroControl directory (Tim Wojtulewicz, Corelight)

2.5.0-74 | 2024-12-10 17:22:23 -0700

  * Update cmake submodule to master (Tim Wojtulewicz, Corelight)

  * Update trace-summary submodule for python upgrade (Tim Wojtulewicz, Corelight)

  * Update pysubnettree submodule (Tim Wojtulewicz, Corelight)

  * Add workflow for running pre-commit (Tim Wojtulewicz, Corelight)

  * Update codeql action versions, add linting for workflows (Tim Wojtulewicz, Corelight)

  * Fix references to python 3.5 in CMakeLists and docs (Tim Wojtulewicz, Corelight)

  * Add 'F' to ruff, fix findings (Tim Wojtulewicz, Corelight)

  * Add 'ISC' to ruff, fix findings (there weren't any) (Tim Wojtulewicz, Corelight)

  * Add 'I' to ruff, fix findings (Tim Wojtulewicz, Corelight)

  * Add 'C4' to ruff, fix findings (Tim Wojtulewicz, Corelight)

  * Use f-strings or .format() for string formatting (Tim Wojtulewicz, Corelight)

  * Add ruff linting, enabling and fixing the 'upgrade' finds (Tim Wojtulewicz, Corelight)

    This disables the format string finding (UP031) temporarily. It is
    handled in a separate commit because it's so many changes.

  * Add pre-commit hook for ruff-format, fix all of the findings (Tim Wojtulewicz, Corelight)

  * Add pre-commit for trailing whitespace, fix findings (Tim Wojtulewicz, Corelight)

  * Remove long-outdated travis configuration (Tim Wojtulewicz, Corelight)

2.5.0-58 | 2024-08-08 09:25:59 -0700

  * Stop installing the broctl symlink (Tim Wojtulewicz, Corelight)

2.5.0-56 | 2024-08-08 10:43:44 +0200

  * Remove ignore-deprecations pragma from cluster layout (Arne Welzel, Corelight)

  * Remove interface field from cluster node configuration (Tim Wojtulewicz)

2.5.0-49 | 2024-06-25 11:29:01 +0200

  * GH-65: zeekctl.cfg: Add FileExtractDir option and default to ${spool}/extract_files/ (Arne Welzel, Corelight)

    In a zeekctl managed cluster, extracted files are now placed into
    spool/extract_files/<node>/ rather than a node's working directory at
    spool/<node>/extract_files. This prevents accidental deletion of extracted
    files by the post-terminate script when stopping the cluster.

    The old behavior of storing extracted files into a node's working
    directory may be restored by setting the new FileExtractDir option
    to an empty value in zeekctl.cfg:

        FileExtractDir =

    Closes #65

2.5.0-47 | 2024-06-04 14:16:33 -0700

  * Baseline updates for telemetry rework (Tim Wojtulewicz)

  * Don't override zeek-port in the state with the metrics port (Tim Wojtulewicz)

2.5.0-44 | 2024-05-31 13:35:53 -0700

  * Add MetricsPort option to zeekctl.cfg (Tim Wojtulewicz, Corelight)

2.5.0-41 | 2023-12-06 20:08:23 -0800

  * Changed the depricated SafeConfigParser attribute to ConfigParser (mute019)

2.5.0-39 | 2023-11-07 19:37:51 +0100

  * install: Ignore Cluster$interface deprecation (Arne Welzel, Corelight)

    The idea is that until v7.1, zeekctl continues to populate the interface
    in cluster-layout.zeek just as before, but accesses by users will cause
    deprecation warnings.

2.5.0-37 | 2023-08-07 09:32:38 -0700

  * Use the right CMake variable for python executable (Tim Wojtulewicz, Corelight)

  * Revert update to Python 3.7 (Tim Wojtulewicz, Corelight)

2.5.0-34 | 2023-08-02 11:35:59 -0700

  * Remove usage of FindRequiredPackage (Tim Wojtulewicz, Corelight)

  * Require CMake 3.15 for consistency with other Zeek projects (Tim Wojtulewicz, Corelight)

  * Update submodules for find_package() fixes (Tim Wojtulewicz, Corelight)

2.5.0-24 | 2023-04-27 12:13:34 +0200

  * Multi-logger handling (Arne Welzel, Corelight)

    If there are multiple loggers configured in node.cfg, currently they all invoke
    archive-log for their own logs and overwrite each others files during log rotation
    due to having the same rotation intervals and creating the same names via
    `make-archive-name`. There's no easy way to customize the name for individual
    loggers.

    This PR proposes the following API/interface:

    * Invoke the rotation postprocessor with a new environment variable
      called ZEEK_ARG_LOG_SUFFIX. This environment variable is set *only*
      when multiple loggers are configured. It's set to the value of
      Cluster::node.

    * Place a .log_suffix file within a logger's working directory also
      *only* when multiple loggers are configured. This can be used by
      the post-terminate script to set the ZEEK_ARG_LOG_SUFFIX to set it
      for the archive-log / make-archive-name.

    * Make the `make-archive-name` and `post-terminate` ZEEK_ARG_LOG_SUFFIX
      and .log_suffix aware.

    The result is that the name of archived logs includes the logger name
    suffix when multiple loggers are configured. This is configurable using
    a custom `make-archive-name` script.

        -rw-rw-r-- 1 zeek zeek 8.7K Apr  6 11:58 conn.11:57:00-11:58:00-logger-1.log.gz
        -rw-rw-r-- 1 zeek zeek 8.7K Apr  6 11:58 conn.11:57:00-11:58:00-logger-2.log.gz
        -rw-rw-r-- 1 zeek zeek  529 Apr  6 11:58 conn-summary.11:57:00-11:58:00-logger-1.log.gz
        -rw-rw-r-- 1 zeek zeek  367 Apr  6 11:58 conn-summary.11:57:00-11:58:00-logger-2.log.gz

2.5.0-19 | 2023-03-22 13:32:10 -0700

  * Make private address space locality configurable (Christian Kreibich, Corelight)

2.5.0-17 | 2023-03-20 10:02:20 -0700

  * Update baseline for command.peerstatus test (Tim Wojtulewicz)

  * Update test baseline for changes to Site::local_nets (Tim Wojtulewicz)

    This required adding a random seed and setting the environment
    variable for Zeek during testing. Otherwise the set prints out
    in a different order every time and breaks the determinism
    of the test.

2.5.0-14 | 2023-03-01 10:17:36 +0100

  * build-zeek: Recognize ZEEK_CI_CPUS (Arne Welzel, Corelight)

    nproc on Cirrus CI gives 32 even if we only allocated 4 CPUs and
    building Spicy with -j32, instant OOM.

    Also, ditch a bit more Travis references.

  * GH-45: testing: Remove pf_ring round-robin usage in tests (Arne Welzel, Corelight)

    In #45, the round-robin load balancing method for pf_ring was
    removed, but there was a test using it. Fix it up.

  * GH-309: Update peerstatus baselines (Arne Welzel, Corelight)

    This has been reported as a regression via zeek/broker#309, but for
    the time being updated it to the new world order.

  * build-zeek: Recognize Cirrus CI, not Travis (Arne Welzel, Corelight)

2.5.0-9 | 2023-02-24 18:59:07 +0100

  * Add a new ZeekPortWarning plugin (Arne Welzel, Corelight)

    This was discussed on Slack:

    1) The issue is pressing enough to actively warn users about it when
       starting zeekctl.

    2) We should prepare users for the change in default coming with
       Zeek 5.2. We're a bit late here, but still reasonable for 5.0
       to 6.0 upgrades.

    This change should be included into a Zeek 5.0.x maintenance release.

2.5.0-5 | 2023-02-24 09:23:35 +0100

  * Support lb_method af_packet (Arne Welzel, Corelight)

  * GH-2792: plugins: Import af_packet.py (Arne Welzel, Corelight)

    This is an import of af_packet.py from zeek/zeek-af_packet-plugin at
    revision b8c17c898bedfe020056027036f5a7eabc815c92. However, tabs have
    been replaced with spaces.

    Further, we're importing this as zzz_af_packet.py to have it be
    loaded and initialized after lb_custom.py on which it depends.

    Related to zeek/zeek#2792.

  * pluginreg: Sort py files before import (Arne Welzel, Corelight)

    Make import order of plugins predictable so prefixing of filenames
    with zzz or aaa can be used for basic ordering.

2.5.0 | 2023-02-01 15:47:52 -0700

  * Release 2.5.0 (Tim Wojtulewicz, Corelight)

2.4.1-15 | 2023-01-23 09:13:34 +0000

  * Remove the broctl symlink. (Johanna Amann, Corelight)

2.4.1-12 | 2022-12-02 18:05:32 -0800

  * lb_pf_ring: Drop round-robin, make error message say "not supported" (Arne Welzel, Corelight)

  * style: replace simple quotes with double quotes for consistency (V)

  * pf_ring: add new 'inner' load balancing strategies for better balancing of tunneled sessions (V)

  * Add CodeQL workflow (sylwia-budzynska)

2.4.1-4 | 2022-10-07 09:16:09 -0700

  * Move ZeekPort out of Linux's ephemeral port range (47760 to 27760) (Arne Welzel, Corelight)

    WARNING: This breaks users that have setup strict firewalls between Zeek
             nodes, but at the same time fixes spurious worker failures.

    On Linux, port 47760 and the following ports selected by zeekctl fall square
    into the ephemeral port range. This has resulted in multiple users reporting
    Zeek workers spuriously failing to start with messages as follows:

        error in /usr/local/zeek-5.0.0/share/zeek/base/frameworks/cluster/./setup-connections.zeek, lines 94-96: Failed to listen on INADDR_ANY:47764 (Broker::listen(Broker::default_listen_address, Cluster::self$p, Broker::default_listen_retry))
        fatal error: errors occurred while initializing

    This can happen when another process on the system are using a port that
    a Zeek process is supposed to listen on. They are free to do so, these
    ports are in the default ephemeral port range. Even the outgoing connection
    from the same or another worker to the manager or logger has been
    observed to cause this.

    FreeBSD users have not seen this previously, as its ephemeral port range
    is above 47760 (49152), but on Linux it starts as low as 32768.

  * Keep make dist from deleting all paths containing 'build' [skip ci] (Tim Wojtulewicz, Corelight)

2.4.1 | 2022-06-01 09:30:19 -0700

  * Release 2.4.1

2.4.0-5 | 2022-04-08 11:26:28 -0700

  * Update cmake submodule to pull in InstallSymlink fix (Christian Kreibich, Corelight)

2.4.0-3 | 2022-01-27 14:53:12 -0700

  * Have `make dist` cleanup a few more wayward files before tarring (Tim Wojtulewicz, Corelight)

  * Update cmake submodule to latest master (Tim Wojtulewicz, Corelight)

2.3.0-5 | 2021-06-15 11:33:52 -0700

  * GH-32: Add builtin-plugins to ZEEKPATH in set-zeek-path (Tim Wojtulewicz, Corelight)

2.3.0 | 2020-12-14 21:02:33 -0800

  * Release 2.3.0

2.2.0-27 | 2020-12-12 20:20:43 -0800

  * Install zeekctl into Zeek's common Python library subdirectory (Christian Kreibich, Corelight)

    - This removes the unused --python-install-dir option from the
      configure help output, and adds --python-home and --python-prefix to
      allow specifying custom Python installation folders, as done in the
      Broker package. Bundled installation with Zeek inherits
      PY_MOD_INSTALL_DIR, as the rest of the tree.

    - The testsuite no longer hardwires assumptions about the location of
      the Python module folder, and instead relies on "zeek-config
      --python_dir" to obtain it. This required some rewiring of the
       per-test string substitution logic. Cross fingers.

    - Switches cmake's deprecated "remove_directory" command to "rm".

    - Bumps trace-summary submodule to make it find Python modules in the
      Zeek distribution's installation directory.

2.2.0-25 | 2020-12-10 14:11:47 -0800

  * Update Broker Python binding usages to new API (Jon Siwek, Corelight)

    Without properly use of context-management or explicit reset() calls,
    the destruction order of subscriber objects can cause
    heap-use-after-free crashes.

2.2.0-24 | 2020-12-10 15:45:03 +0000

  * Baseline refresh to reflect btest 0.64 (Christian Kreibich, Corelight)

2.2.0-21 | 2020-12-07 15:06:31 -0800

  * Update CMake logic to prefer Python 3 over Python 2 (Jon Siwek, Corelight)

2.2.0-17 | 2020-12-02 11:10:51 -0800

  * Update minimum required CMake to 3.5 (Jon Siwek, Corelight)

2.2.0-15 | 2020-11-26 18:06:12 +0000

  * Remove an empty/useless 'btest' file (Jon Siwek, Corelight)

  * Remove CI testing of older Python versions and add newer versions (Jon Siwek, Corelight)

  * Remove Python 2 compatibility logic from all Python scripts (Jon Siwek, Corelight)

  * Update Python invocations to use explicit `python3` (Jon Siwek, Corelight)

  * Update CMake logic to enforce Python >= 3.5 (Jon Siwek, Corelight)

  * Update docs to reflect new Python 3.5 minimum requirement (Jon Siwek, Corelight)

  * Update submodules for changes related to Python 2 EOL (Jon Siwek, Corelight)

2.2.0-6 | 2020-11-24 15:16:37 -0800

  * Rely on GNUInstallDirs for definition of libdir and adopt it for installation (Christian Kreibich, Corelight)

2.2.0 | 2020-07-27 11:14:20 -0700

  * Release 2.2.0

2.1.0-25 | 2020-07-21 12:55:47 -0700

  * Update a test baseline for new Broker::table_store_db_directory (Jon Siwek, Corelight)

2.1.0-24 | 2020-07-21 14:45:35 +0000

  * Add new "BrokerDBDir" configuration option, which sets the
    location in which Zeek tables that are backed by Broker stores are
    persisted. (Johanna Amann, Corelight)

2.1.0-20 | 2020-06-30 11:31:03 -0700

  * Fix .travis.yml to use auxil/ instead of aux/ (Jon Siwek, Corelight)

2.1.0-18 | 2020-06-08 11:14:14 -0700

  * Rename aux/ to auxil/ (Jon Siwek, Corelight)

    Since "aux" is not an allowed file/dir name on Windows.

2.1.0-11 | 2020-03-26 13:33:50 -0700

  * Update generated docs (Jon Zeolla)

  * Clarify docs and example for multi-logger cluster (Jon Zeolla)

2.1.0 | 2020-02-08 12:32:49 -0800

  * Release 2.1.0

2.0.0-39 | 2020-02-04 12:07:18 -0800

  * Don't check for sqlite3 python module when cross-compiling (Fabrice Fontaine)

    Don't check for sqlite3 python module support by calling
    "${PYTHON_EXECUTABLE}" -c "import sqlite3" when cross-compiling as this
    will check sqlite3 support on the host python interpreter and not the
    target python interpreter.

2.0.0-36 | 2020-01-30 19:11:25 -0800

  * No longer need to look for BROCTL_DISABLE_LISTEN. (Robin Sommer, Corelight)

  * Error out when old Bro options are used. (Robin Sommer, Corelight)

  * Error out when old Bro plugin API used. (Robin Sommer, Corelight)

  * Remove 'bro' command from ps plugin. (Robin Sommer, Corelight)

  * Abort if there's a broctl.cfg but no zeekctl.cfg. (Robin Sommer, Corelight)

  * Abort when using old BroControl plugin API. (Robin Sommer, Corelight)

2.0.0-25 | 2019-11-25 10:21:18 -0800

  * Fix "scripts" command in standalone mode (Jon Siwek, Corelight)

    Addresses https://github.com/zeek/zeek/issues/697

2.0.0-24 | 2019-11-25 09:21:27 -0800

  * Change install.py to use a relative path for the zeekctl-config.sh symlink (Craig Leres)

2.0.0-18 | 2019-10-28 20:14:23 -0700

  * Remove Python 3.4 from Travis CI matrix (Jon Siwek, Corelight)

    It's end-of-life and not available in Travis "dist: bionic".

2.0.0-17 | 2019-10-28 18:27:37 -0700

  * Use Ubuntu 18.04 (Bionic) in Travis CI (Jon Siwek, Corelight)

    To satisfy Zeek C++17 requirement

2.0.0-16 | 2019-10-28 18:25:20 -0700

  * Move CMake project() after cmake_minimum_required() (Jon Siwek, Corelight)

2.0.0-12 | 2019-10-17 16:30:37 -0700

  * Change gzip compression level from 9 to default #614 (JC Connell)

2.0.0-6 | 2019-08-23 06:31:33 -0400

  * archive-log: Print a usage string if the number of arguments is incorrect. (Vlad Grigorescu)

2.0.0-3 | 2019-08-13 13:43:34 -0700

  * Add CompressLogsInFlight option to compress logs while writing instead of upon rotation (Tim Wojtulewicz, Corelight)

2.0.0 | 2019-08-08 10:51:01 -0700

  * Release 2.0.0

1.9-60 | 2019-08-06 11:48:09 -0700

  * Simplify check-pid script

    Still keeps support for Alpine/BusyBox version of `ps`, which lacks
    the -p option, but removes the use of `kill -0`, which transiently
    fails for unknown reason: see https://github.com/zeek/zeek/issues/518 (Jon Siwek, Corelight)

1.9-56 | 2019-06-21 09:55:14 -0700

  * Fix alpine ps => PID issue (Jeff Barber)

1.9-52 | 2019-06-12 15:08:09 -0700

  * Rename directories from bro to zeek (Daniel Thayer)

1.9-49 | 2019-05-23 19:33:47 -0700

  * Rename the BROPATH environment variable (Daniel Thayer)

1.9-47 | 2019-05-20 19:37:27 -0700

  * More changes for Bro to Zeek renaming (Daniel Thayer)

1.9-45 | 2019-05-15 15:00:39 -0700

  * Adjust parallelism of build-zeek script (Jon Siwek, Corelight)

  * Update broker.bro module usage to broker.zeek (Jon Siwek, Corelight)

1.9-43 | 2019-05-14 19:29:56 -0700

  * Fix plugin.ps test (Jon Siwek, Corelight)

1.9-42 | 2019-05-14 18:19:43 -0700

  * Remove the "update" command (Jon Siwek, Corelight)

1.9-41 | 2019-05-14 17:27:44 -0700

  * Update Travis config to use zeek/zeekctl (Jon Siwek, Corelight)

  * Update README.rst symlink (Jon Siwek, Corelight)

1.9-39 | 2019-05-14 13:12:15 -0700

  * Fix legacy plugin API and add new tests (Daniel Thayer)

  * Added new test cases and improved a few tests. (Daniel Thayer)

  * Fixed one line in the help output to fit within an 80 character display. (Daniel Thayer)

  * Some fixes for bro-to-zeek renaming and docs (Daniel Thayer)

  * Updating documentation. (Robin Sommer, Corelight)

  * Renamed broctl to zeekctl (Robin Sommer, Corelight)

    I ended up doing the rename pretty comprehensively across all the
    scripts, as it was hard to change some places but not others. So most
    uses of Bro are replaced with Zeek now. I tried to maintain backwards
    compatibility with the old names where user visible, including names
    for options and IDs inside plugins.

    Changes to maintain backwards compabibility:

    - We now also puts links in place for backwards compability:

        bin/broctl -> bin/zeek-wrapper (which then forwards to zeekctl)
        lib/broctl -> lib/zeekctl

    - If an etc/broctl.cfg exists from a previous install, we symlink
      etc/zeekctl.cfg to it to keep any customizations that were made.

    - We create a Python wrapper module BroControl that forwards (with a
      warning) to the renamed ZeekControl, so that old plugins continue to
      work.

    - Old option name containing "Bro" are accepted in place of the new
      Zeek variants.

    - "ps.bro" is an alias for "ps.zeek".

    - BROCTL_DISABLE_LISTEN is an alias for ZEEKCTL_DISABLE_LISTEN

1.9-32 | 2019-05-10 19:13:32 -0700

  * Add LibDir64 option (Jon Siwek, Corelight)

    And make it and LibDir optional dirs for syncing to remote nodes as
    well as for use with the 'df' command.

    On some platforms, certain libraries in the Zeek-ecosystem now install
    into the lib64/ directory by default (per that platform's convention).

  * Allow option names that have numbers in them (Jon Siwek, Corelight)

  * Silence test failures due to rotate_file_by_name deprecation (Jon Siwek, Corelight)

1.9-28 | 2019-04-19 11:11:53 -0700

  * Replace bro_init/bro_done usages with zeek_init/zeek_done (Seth Hall, Corelight)

1.9-24 | 2019-04-16 11:53:06 -0700

  * Update some tests and baselines due to new file extension (Daniel Thayer)

  * Install script files with new file extension (Daniel Thayer)

  * Change file extension of all script files to ".zeek" (Daniel Thayer)

  * Fix the update command

    This broke due to https://github.com/zeek/zeek/pull/261, in which
    errors in initialization are now fatal, but there happened to be
    benign/unnoticed errors with the way `broctl update` was working.
    Namely, it was incorrectly treating the bro process that it spawned
    for using the control framework as a cluster node, by setting the
    CLUSTER_NODE environment variable, and that causes an attempt to listen
    on a port which, when a cluster is up and running as it should be,
    is already listened upon, thus generating an error and completely
    failing now due to change in initialization behavior. (Jon Siwek, Corelight)

1.9-11 | 2019-01-04 13:10:54 -0600

  * Adding support for log rotation/expiration for distributed loggers. (Stefan Maerz)

1.9-8 | 2018-12-10 15:07:31 -0600

  * Change Travis btest commnad to help isolate hung tests (Jon Siwek, Corelight)

1.9-7 | 2018-12-10 13:09:29 -0600

  * Update Travis URL for cloning Zeek (Jon Siwek, Corelight)

  * GH-11: Improve check-pid helper script for Alpine support (Jon Siwek, Corelight)

1.9-4 | 2018-12-07 16:31:33 -0600

  * Update github/download link (Jon Siwek, Corelight)

  * Update submodules to use github.com/zeek (Jon Siwek, Corelight)

1.9-2 | 2018-09-26 10:31:47 -0500

  * Update broctl.rst (by running "make doc") (Daniel Thayer)

1.9 | 2018-09-18 16:47:56 -0500

  * Release 1.9.

1.8-1 | 2018-09-18 16:46:20 -0500

  * Fix commands that use broker python bindings (Jon Siwek, Corelight)

1.8 | 2018-09-18 14:26:09 -0500

  * Release v1.8.

1.7-126 | 2018-09-07 09:56:19 -0500

  * Update the broctl top command to not show the "Proc" column (Daniel Thayer)

  * Update the stats-to-csv script for broker and loggers (Daniel Thayer)

  * Improve `make dist` (Jon Siwek, Corelight)

1.7-122 | 2018-08-29 23:44:14 +0000

  * Include Broker node ID in "control" event topics. This helps break
    a message routing loop due to all "control" nodes being subscribed
    to a common topic. (Jon Siwek, Corelight)

1.7-119 | 2018-08-21 13:20:35 -0500

  * Change default snaplen to 9216 bytes to better accommodate
    jumbo frames (Justin Azoff)

1.7-117 | 2018-08-20 14:57:41 -0500

  * Change broctl to warn about unrecognized broctl options (Daniel Thayer)

  * Remove deprecated node-specific SitePolicy* options (Daniel Thayer)

1.7-107 | 2018-07-16 10:57:58 -0500

  * Update docs about the "update" command being deprecated (Daniel Thayer)

  * Various unit test additions/improvements/cleanups (Daniel Thayer)

  * Update diff-top-output script based on a recent change (Daniel Thayer)

  * Reduce the number of node.cfg files used by the tests (Daniel Thayer)

  * Reduce the number of broctl.cfg files used by the tests (Daniel Thayer)

  * Set BRO_DEFAULT_LISTEN_ADDRESS when running tests (Daniel Thayer)

  * The check and scripts tests no longer need to be serialized (Daniel Thayer)

1.7-93 | 2018-06-21 11:54:09 -0500

  * Make 'check' and 'scripts' commands skip connection setup (Corelight)

1.7-92 | 2018-06-08 09:55:24 -0500

  * Broker-related updates and fixes for the docs (Daniel Thayer)

  * Reduce the size of the Bro build and build more quickly when running
    broctl tests (Daniel Thayer)

  * Travis CI improvements (Daniel Thayer)

  * Fix the testing Makefile "cleanup" target to remove all test tmp files.
    (Daniel Thayer)

  * Fix a few commands to report error when bro is not running (Daniel Thayer)

  * Improve error message for import broker failure (Daniel Thayer)

  * Remove redundant output from broctl capstats command (Daniel Thayer)

  * Output error messages to stderr instead of stdout (Daniel Thayer)

  * Improved capstats error message when capstatspath option is not set.
    (Daniel Thayer)

  * Fixed exit status of capstats command when it doesn't produce any
    results. (Daniel Thayer)

  * Updated some test baselines. (Daniel Thayer)

1.7-81 | 2018-06-06 14:01:23 -0500

  * Listen in standalone mode, but not when processing a trace (Corelight)

1.7-77 | 2018-05-21 17:46:06 +0000

    * Port BroControl to use Broker. (Corelight) This includes:

        - Add deprecation warning to "update" command. Bro's new
          configuration framework supersedes it.

        - Make Broker's control topic a configuration option.

        - Add 'DefaultStoreDir' option that controls location of
          persistent stores

        - Remove 'IPv6Comm' and 'ZoneID'. For the former, Broker
          should be able to handle IPv6 automatically. The latter is
          not supported anymore for now.

    * Don't open debug.log when not configured to do logging, and
      catch when broctl can't open the debug log file. (Daniel Thayer)

1.7-61 | 2018-03-15 14:57:05 -0700

  * Configure Travis CI email recipients and build branches. (Daniel
    Thayer)

1.7-57 | 2018-02-05 15:04:41 -0800

  * Add a .travis.yml file (Daniel Thayer)

  * Fix a race condition in the bro__test script. (Daniel Thayer)

  * Fix the build-bro script when running on Travis CI. (Daniel Thayer)

1.7-53 | 2018-01-18 13:18:38 -0600

  * Allow capstats to work with af_packet (Mike Reeves)

  * Fix race conditions in the "update" command test and the "start-slowstart"
    command test.  Cleaned up the bro__test script. (Daniel Thayer)

  * Sort the list of filesystems for each node in the "df" command output.
    This fixes the "df" command test on Python 3. (Daniel Thayer)

  * Enable easier changing of the node type sort order in broctl command
    output.  A list of node types in the preferred sort order is now used
    instead of using alphabetical order. (Daniel Thayer)

  * Add a logger to the node.cfg for some tests to verify correct ordering
    of node names in the output of various broctl commands. (Daniel Thayer)

  * Update test baselines for recent change of PFRINGClusterID default value.
    Also, it is no longer necessary to set a value for the PFRINGClusterID
    option in broctl.cfg for the PF_RING tests. (Daniel Thayer)

1.7-44 | 2017-12-28 10:33:48 -0500

  * Fix bug in broctl df command where it could skip checking the filesystem
    of the "logs" directory if none of the other Bro directories were on that
    filesystem, but only when a cluster config with a logger node was being
    used.  Also fixed the check for NFS mounted volumes to prevent broctl from
    skipping non-NFS filesystems that have a colon in the name.
    Addresses BIT-1880 (Daniel Thayer)

  * Added "df" command tests for a standalone configuration, and for Bro
    directories on different partitions. (Daniel Thayer)

1.7-39 | 2017-12-28 10:29:22 -0500

  * Changed the default value of PFRINGClusterID to be 21 (instead of 0)
    when PF_RING is not installed.  Also changed the default value of
    SendMail to /usr/sbin/sendmail (instead of SENDMAIL-NOTFOUND) when
    sendmail is not installed. (Daniel Thayer)

1.7-34 | 2017-12-13 11:30:50 -0600

  * Simplify broctl "start" and "stop" output to show the node type
    instead of listing each node name. (Daniel Thayer)

  * Code cleanup: reduce number of hard-coded node type names in the code.
    (Daniel Thayer)

  * Add new tests of the BroControl plugin API (Daniel Thayer)

  * Reorganize, rename, and simplify numerous test scripts. (Daniel Thayer)

  * Cleanup the broctl test build and setup scripts. (Daniel Thayer)

  * Add test for "broctl --version" (Daniel Thayer)

  * Added a test case for multiple logger nodes in the "install" command test.
    (Daniel Thayer)

1.7-16 | 2017-09-26 09:16:47 -0400

  * Allow broctl plugin command names that are an empty string to be run
    by typing just the plugin prefix name (no dot needed). (Daniel Thayer)

  * Add tests to verify that bugs fixed in the following commits
    are actually fixed: 6bf5bb0f, 9f387354, and f472a05f. (Daniel Thayer)

1.7-12 | 2017-09-20 17:18:40 -0400

  * Fix archive-log to correctly handle logs that are already compressed.
    (Daniel Thayer)

1.7-10 | 2017-09-19 17:06:27 -0500

  * Fix "install" command to preserve symlinks in "site" directory.
    Addresses BIT-1846. (Jon Siwek)

  * Fix broctl "print" command to not truncate output. (Daniel Thayer)

1.7-7 | 2017-07-27 14:38:10 -0500

  * lb_pf_ring update: support for ZC and the new bro::pf_ring plugin (cardigliano)

1.7-5 | 2017-07-11 08:45:32 -0500

  * Use SHA-1 instead of MD5 to compute config hash values. Addresses BIT-1817.
    (Daniel Thayer)

1.7 | 2017-06-26 15:55:09 -0700

  * Release 1.7.

1.6-3 | 2017-06-26 10:52:27 -0400

  * Set a value for the global_hash_seed constant.  Addresses BIT-1819.
    (Daniel Thayer)

1.6 | 2017-06-06 17:43:14 -0500

  * Release 1.6

  * Pruning CHANGES a bit (Daniel Thayer)

1.5-49 | 2017-04-30 12:53:44 -0400

  * Allow more than one logger to be defined.

    This adds initial support for running a Bro cluster with multiple logger
    processes.  This is primarily useful for installations that use something
    like Kafka or Logstash to aggregate logs.  (Daniel Thayer)

  * Add a "--version" option to show broctl version (Daniel Thayer)

  * Added a new option MailReceivingPackets to allow users to disable
    broctl cron mail that no packets were seen on an interface. (Daniel Thayer)

  * A large number of unused code removal and code cleanups (Daniel Thayer)

  * Fix some failing tests when using python 3 (Daniel Thayer)

  * The "start" helper script now reports error if PID string is empty (Daniel
    Thayer)

  * Fixed the sorting of node names in command output (e.g. "worker-10"
    should be output after "worker-2").  Now the order of names is based on
    the "count" node attribute instead of the name.  (Daniel Thayer)

  * Fixed some bugs in stats-to-csv script (proxies were being handled like
    workers, and it was assuming that the manager is named "manager").
    Also added more error checking. (Daniel Thayer)

  * Fix potential cases of unhandled IndexError and ValueError. (Daniel Thayer)

  * Fixed a few cases where the ps plugin didn't return non-zero when an
    error occurred. (Daniel Thayer)

  * Fix shell scripts to no longer depend on bash (Daniel Thayer)

  * Improve the run_cmds() and run_localcmd() functions by returning output
    as a string (instead of list of strings) and check and handle output
    string correctly in all cases. (Daniel Thayer)

1.5-21 | 2017-03-17 13:18:58 -0400

  * Fix some tests to make sure the test tmp dir is removed (Daniel Thayer)

  * Update crash-diag script due to recent change where "bro -v" now outputs
    the version to stdout.  Also fixed crash-diag to not show stderr output
    from running "bro -N". (Daniel Thayer)

  * Add a new broctl option to expire crash directories

    Added functionality to broctl cron to remove crash directories older than
    the number of days specified in the new option CrashExpireInterval (the
    default value is 0, which means crash directories never expire). (Daniel
    Thayer)

  * Add a test for expiration of crash directories (Daniel Thayer)

  * Reduce disk usage of post-terminate and crash-diag

    Changed post-terminate and crash-diag so that the bro binary is not
    copied when there is no core file.  Also, the crash report is now
    saved to disk only when crash-diag is run from post-terminate (i.e.,
    the "diag" command will no longer create any files). (Daniel Thayer)

  * Change archive-log to use "mv" instead of "cp"

    Changed archive-log to "mv" (rather than "cp") logs when not using gzip
    for better efficiency.  This means we will not have the logs in the tmp
    directory when Bro crashes, so the scripts have now been simplified to
    never attempt to keep a copy of archived logs in the tmp dir (previously,
    logs >100MB were always being deleted anyway). (Daniel Thayer)


1.5-12 | 2017-03-13 13:43:43 -0400

  * Prevent the broctl check and scripts commands from hanging

    Changed the check-config script to run bro with the "-a" option
    when running "broctl check" in the hope that this will prevent broctl
    from hanging for any reason.  The "-a" option prevents bro
    from running any bro script statements (previously, "check" would
    cause bro to exit after handling the bro_init event) but should still
    be able to identify the same bro scripting errors as before.

    Also, to prevent "broctl scripts" from hanging, set the value
    of "exit_only_after_terminate" to False (in broctl/check.bro) in case
    another script sets the value of that constant to True.  Since "bro -a"
    prevents bro from creating the loaded_scripts.log file, that option
    cannot be used with "broctl scripts". (Daniel Thayer)

1.5-9 | 2017-01-26 16:38:17 -0500

  * Fix some failing tests

    Added a new broctl option, called StopWait, to force the stop command
    to wait for the post-terminate script to finish.  This is needed
    because some tests were failing due to background log-archive processes
    creating logs after "broctl stop" finished, which was preventing the
    test directory from being deleted. (Daniel Thayer)

  * Fix post-terminate to not generate invalid timestamps

    Fixed the code that tries to extract the base name and timestamp
    from a log filename, because it wasn't extracting them correctly
    when the base name contained a period (this doesn't happen for any
    of the standard Bro logs) or if the timestamp in the filename wasn't in
    the format YYYY-MM-DD-HH-MM-SS (this could happen if Bro terminates
    but for some reason doesn't execute the code in the writers/ascii.bro
    script that renames the log, or if someone uses a different forma
    by redefining Log::default_rotation_date_format).  The fix involves
    first removing the log suffix, then trying to extract the timestamp
    in one of the two default timestamp formats.  This procedure is more
    reliable than the previous method of making assumptions about how many
    period characters should be in a log filename.

    Also, when Bro terminates normally, post-terminate now just tries to
    archive all log files, instead of only those that were rotated.  This
    is to avoid missing any logs.  This also means that the
    stderr.log/stdout.log files are now archived when Bro terminates
    normally (instead of only when Bro crashes), which is useful to
    capture any error messages from archive-log or Bro.

    Also fixed an issue that could occasionally occur when post-terminate
    archives an unrotated log file (i.e., no timestamp in the filename)
    and a different log with the same base name was archived after
    post-terminate started, then the computed start time of the unrotated
    log would be later than the end time.  Fixed by setting the start time
    to equal the end time.

    Also added the node name to the subject line in the email sent when
    post-terminate fails to archive a log. (Daniel Thayer)

  * Add error checking of archive-log timestamp parameters

    Check if the format of the timestamp command-line parameters matches
    the required format.  If not, exit with an error message.  This will
    prevent archive-log from creating an archived log file with a corrup
    filename or in a directory with a corrupt name.

    Also simplified the code that gets the current century. (Daniel Thayer)

1.5-5 | 2017-01-26 13:34:37 -0500

  * Fix crash-diag script to use the correct debugger, because on some systems
    the correct debugger to use is not called "gdb" (currently, this
    affects OS X and OpenBSD). (Daniel Thayer)

1.5-2 | 2016-12-06 12:35:40 -0800

  * Don't show output of "ulimit -v" in crash reports on OpenBSD; adjusting
    it always fails and showing the value only creates confusion. (Daniel Thayer)

1.5 | 2016-11-16 14:51:05 -0800

  * Pruning CHANGES a bit. (Daniel Thayer)

  * Update broctl.rst using "make doc". (Daniel Thayer)

1.5-beta2 | 2016-11-02 11:08:45 -0700

  * Release 1.5-beta2.

1.5-beta-56 | 2016-11-02 13:44:41 -0400

  * A number of portability fixes, mostly related to OpenBSD. (Daniel Thayer)

1.5-beta-48 | 2016-11-02 13:38:34 -0400

  * Fix bug where standalone bro port isn't recorded to state.db, and
    add more test cases. (Daniel Thayer)

1.5-beta-41 | 2016-11-01 09:34:19 -0700

  * Add support for local-logger.bro site policy script. (Daniel Thayer)

  * Add a few clarifications to broctl documentation. (Daniel Thayer)

1.5-beta-31 | 2016-10-07 14:55:07 -0400

  * Improve diag command output. (Daniel Thayer)

  * Add new option SitePolicyScripts to replace SitePolicyStandalone.
    Also marked SitePolicyManager, SitePolicyWorker, and SitePolicyStandalone
    as deprecated in the documentation. (Daniel Thayer)

  * Fix a couple of failing tests. (Daniel Thayer)

  * Fix a failing test on FreeBSD. (Daniel Thayer)

  * Improved the documentation, especially documentation of node attributes,
    documentation of broctl commands, and added a section about Bro/BroControl
    communication. (Daniel Thayer)

1.5-beta-24 | 2016-09-26 16:24:21 -0400

  * Define all BroControl exceptions in the new exceptions.py file.
    The broctl client will now handle only those exceptions, showing a
    useful error message instead of a stack trace.  As before, if a
    standard Python exception is raised (this is not expected to occur),
    then broctl will terminate with a stack trace, which is useful to
    help debug the problem. (Daniel Thayer)

1.5-beta-22 | 2016-09-26 16:11:21 -0400

  * Fix crash-diag script to not confuse log files with core files

    Fixed the crash-diag script to not include any log filenames that
    contain the word "core" in the list of core files. (Daniel Thayer)

  * Improve crash-diag script's handling of core filenames

    Fixed the script to handle filenames that contain a space. (Daniel Thayer)

1.5-beta-19 | 2016-09-26 15:50:22 -0400

  * Fix a bug where broctl loses state of running Bro nodes

    If a node name contains uppercase letters, then restarting broctl while
    that node is running results in a confusing warning about that node still
    running, and broctl discards the PID of that node.  Fixed by converting
    the node name to lowercase before checking the state database (where all
    keys are converted to lowercase).

    Addresses BIT-1676. (Daniel Thayer)

  * Report an error if a user defines node names differing only by case (such
    as "worker-1" and "Worker-1").  This check is needed because keys
    in the state db are converted to lowercase. (Daniel Thayer)

  * Improve error messages for plugin API functions (Daniel Thayer)

  * Removed the restriction that plugin state variables must be string
    type, because normal state variables have no such restriction. (Daniel Thayer)

  * Fixed the getGlobalOption() function in the plugin API.  It did not
    convert its argument to lowercase, and could return the value of a
    state variable.

    Also simplified some code by replacing the config has_attr() function
    with a new function get_option(), which helps reduce the number of places
    in the code where keys are converted to lowercase. (Daniel Thayer)

  * Do not set a plugin state var. with invalid name (Daniel Thayer)

  * Improve code that sets plugin option values

    Improved error messages to include the name of the plugin, and fixed a
    problem where any option with an invalid name was being set (now such
    options are skipped). (Daniel Thayer)

  * Simplify some broctl cron-related code by using get_state() (Daniel Thayer)

  * Fix the subst() function for non-string data types (Daniel Thayer)

  * Code simplification involving the config get_state() function

    Added an optional default parameter to the config get_state() function,
    and changed that function to convert the key to lowercase.  These changes
    help simplify some code by reducing the number of conversions to lowercase. (Daniel Thayer)

  * Simplify code by not converting option values to lowercase (Daniel Thayer)

  * Fix problem with custom node keys that are not lowercase (Daniel Thayer)

  * Improve documentation of case-sensitive issues in broctl (Daniel Thayer)

  * Remove redundant lowercase conversions of state var. names (Daniel Thayer)


1.5-beta-2 | 2016-09-01 12:03:46 -0400

  * Improve crash reports by showing Bro plugin info (Daniel Thayer)


1.5-beta | 2016-08-12 13:20:27 -0700

  * Release 1.5-beta.

  * Fix rsync error message to not show ssh login banner. (Daniel Thayer)

  * Run "make doc" to update broctl.rst (Daniel Thayer)

  * Pruning CHANGES a bit (Daniel Thayer)

1.4-150 | 2016-08-09 13:38:17 -0400

  * Show python stack trace if unexpected exception is raised.
    (Daniel Thayer)

  * Improve broctl error messages and error handling across the board.
    (Daniel Thayer)

  * Add a new optional node type "logger" that will handle logging
    instead of the manager. (Daniel Thayer)

1.4-132 | 2016-07-14 18:23:27 -0400

  * Don't run capstats on interfaces with packet source prefix. (Daniel Thayer)

1.4-130 | 2016-07-13 14:36:34 -0400

  * Improve the text of crash reports with instructions on how to
    get a backtrace, which should reduce the amount of useless crash
    reports mailed to the Bro team. (Daniel Thayer)

1.4-127 | 2016-07-06 08:58:18 -0500

  * Ignore packet source prefix of interface name when using capstats. (Jan Grashoefer)

1.4-125 | 2016-07-02 17:53:42 -0500

  * New plugin function "broctl_config" so plugin authors can add their own
    script code to the autogenerated broctl-config.bro script. (Seth Hall)

1.4-122 | 2016-07-02 12:05:23 -0500

  * Follow symlinks to directories when searching for plugins. (Jon Siwek)

1.4-119 | 2016-06-28 11:11:19 -0400

  * Fix race condition in reading/writing broctl-config.sh (Daniel Thayer)

1.4-117 | 2016-06-22 12:14:37 -0400

  * Improve broctl behavior when unable to stop a node. (Daniel Thayer)

1.4-112 | 2016-06-14 16:14:52 -0700

  * Fix a failing test on some platforms and improve its error
     message. (Daniel Thayer)

  * Add Bro plugin directory to broctl plugin search path. (Daniel Thayer)

  * Update test baselines. (Daniel Thayer)

  * Changed the default value of the StatusCmdShowAll option so that
    the broctl status command runs faster. (Daniel Thayer)

  * Changed the status-timefmt test so that it can be run in parallel
    with the other tests. (Daniel Thayer)

  * Remove dead code and update docs. (Daniel Thayer)

  * Rename serialization set for cluster tests. (Daniel Thayer)

  * Change node hostname resolution to be more consistent. (Daniel Thayer)

  * Add another test for broctl start command. (Daniel Thayer)

  * Prevent start helper from getting in infinite loop. (Daniel Thayer)

1.4-100 | 2016-05-17 16:22:25 -0700

  * Updating baseline for Bro control framework change. (Robin Sommer)

  * Fix for running broctl tests on OS X 10.11 (Daniel Thayer)

1.4-96 | 2016-04-28 13:43:22 -0400

  * Fix inconsistent return value data type for some commands, so that
    they always return a CmdResult. (Daniel Thayer)

1.4-94 | 2016-04-28 13:29:34 -0400

  * Fix the top command on OS X 10.10 or newer. (Daniel Thayer)

  * Fix build-bro script for running broctl tests on FreeBSD. (Daniel Thayer)

1.4-91 | 2016-03-31 15:08:24 -0500

  * Explicitly close the Broccoli connection to avoid resource leak. (Aaron Eppert)

1.4-89 | 2016-03-31 12:02:19 -0500

  * Prevent ssh login banners from appearing in broctl output. (Jon Schipp)

1.4-87 | 2016-03-31 10:35:47 -0400

  * Eliminate unnecessary writes to the state db. (Daniel Thayer)

1.4-84 | 2016-03-11 16:32:46 -0600

  * Support ip command for getting local IP addrs. (Jon Schipp)

1.4-77 | 2016-01-20 14:44:36 -0500

  * Changed LogExpireInterval to allow users to specify a more
    granular log expire interval, which is a number followed by
    a unit: "day", "hr", or "min".  An integer value with no unit
    is still allowed and interpreted the same as before. (Daniel Thayer)

  * More verbose error message for logexpireinterval value. (Daniel Thayer)

  * Prevent log expire interval from being less than rotation interval. (Daniel Thayer)

  * Improve the ps test diff canonifier. (Daniel Thayer)

  * Improve the cron-expire test script. (Daniel Thayer)


1.4-70 | 2016-01-19 22:42:10 -0600

  * Fix custom plugin commands to behave more like built-in commands. (Aaron Eppert/Daniel Thayer)

  * Add README.rst -> doc/broctl.rst symlink. Addresses BIT-1413 (Johanna Amann)

1.4-61 | 2015-12-19 13:39:47 -0800

  * Add broctl.cfg options PcapSnaplen and PcapBuflen to set pcap's
    packet snap length and buffer size, respectively. (Jan Grashoefer)

1.4-57 | 2015-12-11 12:00:07 -0500

  * Simplify some code and fix a test that can fail on OS X. (Daniel Thayer)

  * Improvements to broctl documentation. (Daniel Thayer)

  * Improve diagnostic and error messages. (Daniel Thayer)

  * Add more private IP space to etc/networks.cfg (Daniel Thayer)

  * Add a new broctl option, MailArchiveLogFail, to control sending
    log archive mail. (Daniel Thayer)

  * Check for invalid option names and values more carefully. (Daniel Thayer)

  * Fix use of ssh to always use IP address to avoid host key verification
    failures, and use BatchMode consistently to avoid a misleading
    error message when rsync fails. (Daniel Thayer)

  * Changed post-terminate to attempt to archive logs that have already
    been rotated.  Also changed crash-diag output file extension to no
    longer use ".log" in order to avoid post-terminate trying to
    archive it. (Daniel Thayer)

  * Send email if post-terminate fails to archive logs, and changed
    the post-terminate script to run archive-log serially instead
    of multiple instances simultaneously in the background.
    (Daniel Thayer)

  * Rename logs in the spool/tmp/post-terminate directory to indicate
    they were successfully archived when archive-log is run with the "-c"
    option.  (Daniel Thayer)

  * Capture output of background post-terminate script to file
    "post-terminate.out" which might be helpful for debugging
    problems with log archival. (Daniel Thayer)

  * Add bro node type to post-terminate dir name (Daniel Thayer)

1.4-36 | 2015-12-08 13:21:05 -0500

  * Fix problem of unexpected ifconfig output with some locales (Daniel Thayer)

1.4-34 | 2015-10-27 21:13:15 -0500

  * Added plugin for custom load balancing (Jan Grashoefer)

1.4-30 | 2015-08-21 17:23:39 -0700

  * Updating submodule(s).

1.4-28 | 2015-07-29 15:33:37 -0500

  * Handle a missing broctl-config.sh symlink (Justin Azoff)

1.4-26 | 2015-07-27 14:13:43 -0400

  * Create broctl-config.sh automatically (Daniel Thayer)

  * Undo a previous change for lb_procs error checking (Daniel Thayer)

  * Update broctl.rst by running "make doc" (Daniel Thayer)

  * Convert boolean config values to python bool type (Daniel Thayer)

1.4-20 | 2015-07-27 09:12:44 -0400

  * Merge remote-tracking branch 'origin/topic/dnthayer/ticket1434' (Justin Azoff)

  * Improve the broctl top helper script for FreeBSD (Daniel Thayer)

1.4-18 | 2015-07-27 09:03:22 -0400

  * Improve error message for invalid broctl plugin config values (Daniel Thayer)

  * Improve error message for invalid broctl config values (Daniel Thayer)

  * Improve error checking for local IP addresses (Daniel Thayer)

  * Cleanup some error msgs and source code comments (Daniel Thayer)

  * Close ssh connections upon config reload (Daniel Thayer)

  * Check for dangling Bro nodes every time node.cfg is loaded (Daniel Thayer)

  * Improve check for dangling Bro nodes (Daniel Thayer)

  * Remove unnecessary state variable type conversions (Daniel Thayer)

  * Convert config option values to correct data type (Daniel Thayer)

  * Check config file contents rather than timestamp (Daniel Thayer)

  * Add ability for broctl to reload its configuration, which the
    deploy command will do if a config file change is detected. (Daniel Thayer)

  * Avoid caching config values because config might change (Daniel Thayer)

  * Update a broctl test file (Daniel Thayer)

  * Keep track of both loaded plugins and active plugins (Daniel Thayer)

  * Reorganize some code (no changes in functionality) (Daniel Thayer)

  * Remove some config options and add a new one (Daniel Thayer)


1.4-1 | 2015-07-22 13:20:49 -0500

  * Fix test setup script to not overwrite LD_LIBRARY_PATH (Jon Siwek)

1.4 | 2015-06-09 09:19:56 -0500

  * Release 1.4.

1.4-beta-22 | 2015-06-02 10:34:44 -0500

  * Update broctl man page for deploy command (Daniel Thayer)

  * Updating baselines. (Robin Sommer)


1.4-beta-20 | 2015-05-28 12:15:28 -0700

  * Slight output tweaks. (Robin Sommer)

1.4-beta-19 | 2015-05-28 11:59:39 -0700

  * Improve documentation on site-specific customization. (Daniel
    Thayer)

  * Don't use daemon threads in ssh_runner. (Daniel Thayer)

  * Improve broctl documentation. (Daniel Thayer)

  * Fix minor error with restart clean. (Daniel Thayer)

  * Improve and extend tests. (Daniel Thayer)

  * Improve error messages related to the env_vars option. (Daniel Thayer)

  * Remove code that was automatically removing quoted values of the
    env_vars option. (Daniel Thayer)

  * Show help when user runs broctl with unknown command. (Daniel
    Thayer)

  * Improve visibility of archive-log error messages. (Daniel Thayer)

  * Add sanity checks on broctl options. (Daniel Thayer)

  * Improve error messages involving the state database file.
    Addresses BIT-1397 (Daniel Thayer)

  * Fixed error when a broctl command outputs binary data. (Daniel
    Thayer)

  * Fix the config change warnings on Python 3. (Daniel Thayer)

  * Fix an issue with the ps plugin where the "run-bro" script would
    appear in the output on some systems. (Daniel Thayer)

  * Inform user to run broctl deploy to get started. (Daniel Thayer)

  * Fix communication with muxer for newer Python versions. (Daniel
    Thayer)

  * Set correct Python path in Python scripts. (Daniel Thayer)

1.4-beta | 2015-05-07 20:26:22 -0700

  * Release 1.4-beta.

1.3-221 | 2015-04-22 15:20:20 -0500

  * Improve the test build script to show build error output. (Daniel Thayer)

1.3-220 | 2015-04-21 14:54:49 -0400

  * Fix problem where use of broargs causes error message (Daniel Thayer)

  * Avoid unnecessary string building in logging functions (Daniel Thayer)

  * Handle broctl output messages more consistently (Daniel Thayer)

  * Don't show certain warnings when they're not useful (Daniel Thayer)

  * Fix the interactive command tab completion feature (Daniel Thayer)

  * Simplify some SQL and remove unused code in the state database (Daniel Thayer)

1.3-212 | 2015-04-17 15:27:14 -0500

  * Fix the use of the "first-line" helper script (Daniel Thayer)

  * Added a new broctl option "CommandTimeout" that specifies the number
    of seconds to wait for a command to return results.  This value is
    passed to ssh_runner. (Daniel Thayer)

  * Improve error reporting for ssh_runner (Daniel Thayer)

  * Changed the status command to run only one helper script so that the
    status command takes half as long to run in the worst-case scenario.
    This involved replacing the "cat-file" helper with a new one that
    can handle multiple files, and only outputs the first line of each file.
    (Daniel Thayer)

  * Remove unused default timeout values in ssh_runner.  Also changed the
    ping timeout and changed the code to actually use it. (Daniel Thayer)

  * Fix response handling (Justin Azoff)

  * Enable json serialization of CmdResult objects (Justin Azoff)

  * Enable BatchMode for ssh

    From the ssh manual:

        If set to ``yes'', passphrase/password querying will be disabled.
        This option is useful in scripts and other batch jobs where no user
        is present to supply the password. (Justin Azoff)

  * Improve some error messages (Daniel Thayer)

  * Fix to prevent broctl from hanging when an exception occurs.
    Make sure that the finish method is called (to signal that we're done
    to the ssh_runner worker threads). (Daniel Thayer)


1.3-197 | 2015-04-16 16:15:25 -0500

  * Use daemon threads only for remote hosts (Daniel Thayer)

  * Fix to prevent the broctl stop command from hanging (Daniel Thayer)

  * Remove the run-cmd helper script (Daniel Thayer)

1.3-185 | 2015-04-03 14:54:06 -0400

  * Update test baselines. (Daniel Thayer)

  * Improved error reporting in several cases. (Daniel Thayer)

  * Added checks if there are any nodes to start or stop to avoid
    executing code unnecessarily. (Daniel Thayer)

  * Preserve order of hosts in command lists to be executed. (Daniel
    Thayer)

  * Catch the KeyboardInterrupt exception. (Daniel Thayer)

  * Reorganize code for the df command. (Daniel Thayer)

  * Python 3 compatibility fixes. (Daniel Thayer)

  * Make sure "broctl deploy" error messages are visible. (Daniel Thayer)

  * Speedup the deploy command by checking only one node of each node
    type. (Daniel Thayer)

  * Fix a race condition that results in data loss on the SSH control
    channels. (Daniel Thayer)

  * While waiting for lock, show owning PID of lock. (Daniel Thayer)

  * Make sure broctl always closes any file that it opens. (Daniel Thayer)

  * Update broctl install requirements list. (Daniel Thayer)

  * Don't show log header lines in "broctl scripts" output. (Daniel
    Thayer)

  * Added functions to cleanup before broctl terminates (Daniel
    Thayer)

1.3-165 | 2015-03-30 13:46:23 -0500

  * BIT-1326: Add configure-time check for required sqlite3 python
    module. (Jon Siwek)

1.3-162 | 2015-03-17 09:36:26 -0700

  * Update the documentation. (Daniel Thayer)

  * Add a new command "deploy" which does a "check", "install", and
    "restart".  The intention of this command is to reduce the chance
    that users will forget to install after modifying their
    configuration. (Daniel Thayer)

  * Sort broctl command output for easy readability.

  * Remove duplicate nodes from input so that broctl can't run a
    command twice for the same Bro node. (Daniel Thayer)

  * Improve error output. (Daniel Thayer)

  * Allow specifying alternate Bro script directory via "--scriptdir"
    option of the configure script when building Bro. (Daniel Thayer)

  * Allow specifying alternate location for etc/ directory via the
    "--conf-files-dir" option of the configure script when building
    Bro. (Daniel Thayer)

  * Simplify internals of the main broctl script. (Daniel Thayer)

  * Removed the use of BROCTL_INSTALL_PREFIX for modifying the install
    prefix at run-time.  This was only intended for use by the test
    scripts. Now the test setup scripts just modify all the files
    where the install prefix is hard-coded. (Daniel Thayer)

1.3-150 | 2015-03-04 12:17:42 -0800

  * Significant improvements (mostly internal), reorganization, and
    cleanup across the whole code base. (Justin Azoff and Daniel
    Thayer)

    This includes:

      - Refactor broctl to make it usable as a library (reduce global
        state, module-level setup code, and functions return results
        instead of printing).

      - Integrate ssh_runner code into broctl to fix current problems
        (use only one connection per host instead of one per Bro node;
        broctl shouldn't hang when a host goes down or if we forgot to
        run "broctl install"),

      - Write state info using SQLite state storage instead of writing
        to a plain text file (broctl.dat).

      - When the node config changes, we now do additional checks if
        there are any Bro nodes running that are no longer in our node
        config and warn user if any are detected.

      - Keep track of the expected state (running or stopped) of each
        Bro node, and have broctl cron start or stop nodes as needed.

      - Improved broctl cron by adding two new options (MailHostUpDown
        and StatsLogEnable) to enable users the option to turn off
        unwanted functionality to speed up broctl cron and reduce the
        chance of errors.

      - When broctl cron tries to send email but fails, now it will
        output a message that includes the text it was trying to mail.

      - Silence warning messages that are intended for interactive use
        of broctl when broctl cron runs to reduce unwanted emails from
        cron.

      - Added new broctl option StatusCmdShowAll to enable users to
        speed up "broctl status" significantly.

      - Fixed the stats-to-csv script to not create files that can
        never include any data.

      - Fixed archive-log script to detect exit status of gzip or cp
        command, so that we don't delete log file when the archival
        fails.

      - Improved post-terminate script to process log files more
        consistently.

      - Made all broctl command output go to stdout (previously, some
        output would go to stderr, which made grepping or redirecting
        the output more difficult),

      - Improved the default broctl.cfg file to show more of the
        useful options.

      - Added more error checks to help catch errors earlier.

      - Some error message output is more specific and helpful now.

1.3-12 | 2014-12-08 13:53:23 -0800

  * Add man page for broctl. (Raúl Benencia)

1.3-9 | 2014-12-01 12:03:53 -0600

  * Remove execute permission on scripts not needing it. (Raúl Benencia)

1.3-8 | 2014-10-31 09:17:27 -0500

  * BIT-1166: Add configure options to fine tune local state dirs.
    (Jon Siwek)

1.3 | 2014-06-02 08:59:01 -0700

  * Fix for capstats to display correct interface name when using
    PF_RING+DNA with pfdnacluster_master. (Daniel Thayer)

  * Fix for capstats with PF_RING+DNA pfdnacluster_master.
    (Daniel Thayer)

1.3-beta | 2014-05-19 16:29:36 -0500

  * Improve documentation of PFRINGFirstAppInstance option (Daniel Thayer)

  * Update broctl.rst with "make doc" (no other changes) (Daniel Thayer)

  * Move some content into the main Bro docs in a new section "Cluster
    Configuration". (Daniel Thayer)

  * Rename the broctl option pfringdnafirstappinstance to
    pfringfirstappinstance. (Daniel Thayer)

  * Remove references to the now unused BROMAGIC (Daniel Thayer)

1.2-129 | 2014-05-01 20:58:28 -0700

  * A bug fix and feature add for PF_Ring support. (Seth Hall)

     - Reset the app_instance for the case where there
       are multiple dnaclusters on a single host.

     - Add naming support for zerocopy (zc) clusters.

  * Use a hash to determine if a config change occurred. (Daniel Thayer)

  * Change hosts() function in the plugin API to return a list of
    nodes instead of just hostnames. (Daniel Thayer)

  * Add warnings when node config or broctl.cfg has changed. (Daniel Thayer)

  * Code simplification, remove the unused broctl "home" option, and
    improved a couple warning messages. (Daniel Thayer)

  * Fixed a bug where broctl cron could email about the "$total"
    pseudo-node not receiving any packets. (Daniel Thayer)

  * Code reorganization for the getDf function to avoid direct output
    and thereby reporting the same error message multiple times for
    the same host. (Daniel Thayer)

  * Cleanup some code for style consistency, reformat some comments to
    fit on an 80-column display, and remove some dead code. (Daniel
    Thayer)

  * Replace the update-stats script with Python code. (Daniel Thayer)

  * Gather disk usage by host rather than by node. The output now also
    shows both node and host names and is now sorted by node type.

  * Adjust column widths for top, netstats, peerstatus commands.
    (Daniel Thayer)

  * Change the broctl exec command to run only once per host. (Daniel
    Thayer)

  * Changed the hosts() function so that it preserves the order of the
    returned node list as it was sorted by the nodes() function.
    (Daniel Thayer)

1.2-106 | 2014-04-10 08:32:18 -0700

  * Update test baselines, and minor code cleanup. (Daniel Thayer)

1.2-104 | 2014-04-05 01:01:29 -0400

  * Updated PF_Ring plugin now supports PF_Ring+DNA. (Seth Hall)

1.2-99 | 2014-03-30 22:21:20 +0200

  * Update documentation with better install/setup instructions.
    Addresses BIT-1160 (Daniel Thayer)

1.2-97 | 2014-03-16 07:40:31 -0700

  * Minor doc update for a broctl option. (Daniel Thayer)

  * Adjust broctl status output to avoid bad column alignment. (Daniel
    Thayer)

  * Do not ping when checking if a host is alive. Removed the ping
    from the host alive check because the ping might be blocked by a
    firewall, and neither Bro nor broctl needs the ability to ping
    hosts. (Daniel Thayer)

  * If the current version of Bro doesn't match the version when
    broctl install was previously run, then a warning message (to run
    broctl install) is displayed when broctl starts. Addresses
    BIT-1152. (Daniel Thayer)

  * Reduce the risk of losing track of state info. Changed the way
    broctl updates PIDs and crash flags by writing the new values to
    disk immediately, one at a time, as soon as each new value is
    available. Also changed the way that the state file is updated
    when each command finishes by doing the update as an atomic
    operation. (Daniel Thayer)

  * Better error handling for a number of broctl commands. (Daniel Thayer)

  * Improve error output when broctl install has not been run yet.
    (Daniel Thayer)

  * Fix a failing test on FreeBSD 10. (Daniel Thayer)

  * Changed the output of the check command to be more specific about
    what it is actually checking. (Daniel Thayer)

  * Improve handling of dead hosts and closed/hanging connections.
    (Daniel Thayer)

  * Fixed a typo in the run-bro script that was causing the memlimit
    option to be ignored. Added added a test to verify that memlimit
    is used. (Daniel Thayer)

  * Simplify code that execs commands locally. (Daniel Thayer)

  * Prevent infinite loop in start helper script if it cannot execute
    the run-bro script. (Daniel Thayer)

  * pf_ring plugin: Show error if lb_procs is needed but not given,
    and disable plugin if not used. (Daniel Thayer)

  * Catch an exception that is raised when loading a plugin that does
    not override all required methods, and output an error message.
    (Daniel Thayer)

  * Fix start helper script to return nonzero on error. (Daniel
    Thayer)

  * Improve start/stop command output for crashed nodes.

  * Added a test for stopping a node that crashes during shutdown.
    (Daniel Thayer)


1.2-73 | 2014-02-28 14:44:51 -0800

  * Added ability of broctl cron to expire entries in stats.log that
    are older than the number of days specified in the new broctl
    option StatsLogExpireInterval. Addresses BIT-123. (Daniel Thayer)

  * Add broctl option BroPort to change the starting Bro port.
    Addresses BIT-1117. (Daniel Thayer)

1.2-66 | 2014-02-06 20:29:20 -0800

  * Make sure logs are archived after broctl kills Bro. Addresses
    BIT-1126. (Daniel Thayer)

1.2-63 | 2014-02-04 09:10:39 -0800

  * Fix a few sporadic test failures. (Daniel Thayer)

1.2-61 | 2014-01-31 11:11:39 -0800

  * Fix error handling for process command. (Daniel Thayer)

  * Update and improve the tests of broctl process. (Daniel Thayer)

  * Improve broctl help message for the process command. (Daniel
    Thayer)

  * Reorder the broctl process command Bro arguments. Addresses
    BIT-1124. (Daniel Thayer)

1.2-56 | 2014-01-28 15:54:14 -0800

  * A large set of improvements to the test build scripts to address
    error scenarios, fix failures to report problems, and provide
    convenience features.  (Daniel Thayer)

    Includes:

        - New Makefile target "rerun" to more easily re-run failed
          tests.

        - Two new environment variables recognized by test scripts:

            * If Bro fails to build, you can define an environment
              variable BROCTL_TEST_BUILDARGS which specifies
              additional options that will be passed to Bro's
              "configure" script.

            * Defining BROCTL_TEST_USEBUILD will use the Bro default
              build directory (instead of a custom build directory for
              the broctl tests).

  * Add lots of new tests. (Daniel Thayer)

1.2-28 | 2014-01-22 10:47:49 -0800

  * Fix bug with timemachineport broctl option. (Daniel Thayer)

  * Improved formatting of cluster-layout.bro for readability. (Daniel
    Thayer)

1.2-26 | 2014-01-21 07:12:38 -0800

  * Update the docs. (Daniel Thayer)

1.2-23 | 2014-01-20 12:22:42 -0800

  * Move some output about slow nodes to debug.log. (Daniel Thayer)

  * Improve broctl output formatting. (Daniel Thayer)

  * Fix redundant emails from broctl cron when dead host found.
    (Daniel Thayer)

  * Fix broctl top on OS X Mavericks. (Daniel Thayer)

  * Fix plugin init return values. This also fixes the myricom plugin,
    which wasn't explicitly returning a value from its init method and
    therefore was being disabled as a result. (Daniel Thayer)

  * Enable dead hosts caching while in cron mode. (Justin Azoff)

  * Use getattr for looking up plugin methods for simplifying the
    plugin code. (Justin Azoff)

  * Remove redundant plugin initialization. (Justin Azoff)

1.2-12 | 2014-01-20 11:23:23 -0800

  * Fix bug with IPv6Comm broctl option, which had no effect. (Daniel Thayer)

1.2-10 | 2014-01-13 01:57:53 -0800

  * Add a new option "PFRINGClusterType" that allows a user to specify
    a PF_RING cluster type; it defaults to 4-tuple (which is different
    from the 6-tuple that previous versions used). The PF_RING plugin
    uses this information to set the corrresponding environment
    variable for a PF_RING-aware libpcap. Addresses BIT-1108. (Daniel
    Thayer)

  * Minor reorganization of the README to avoid redundancy. (Daniel
    Thayer)

1.2-3 | 2013-12-09 13:24:28 -0800

  * Remove unused Broxygen-style script comments. (Jon Siwek)

1.2 | 2013-11-07 07:04:54 -0800

  * Release 1.2.

1.2-beta-28 | 2013-11-06 00:22:24 -0800

  * Improve check-pid helper script. (Daniel Thayer)

1.2-beta-26 | 2013-11-01 04:51:57 -0700

  * Add another warning message when a host is not alive. (Daniel
    Thayer)

1.2-beta-24 | 2013-10-31 00:19:41 -0700

  * Do not check if the local host is "alive". (Daniel Thayer)

1.2-beta-22 | 2013-10-26 19:19:31 -0700

  * Document which broctl options override Bro script variables.
    (Daniel Thayer)

  * Updates and clarifications to docs. (Daniel Thayer)

1.2-beta-17 | 2013-10-18 13:22:16 -0700

  * Fix internal lookup of nodes, which would fail to return the right
    items in some cases when node naming didn't match standard
    terminology. Addresses BIT-1091. (Daniel Thayer)

1.2-beta-13 | 2013-10-10 13:38:58 -0700

  * Updating copyright notice. (Robin Sommer)

  * Fix the broctl "top" command output on Linux. (Daniel Thayer)

  * Fix a race condition when sendmail option is empty string. (Daniel
    Thayer)

  * Fix a deadlock when capturing output from local command. (Daniel
    Thayer)

  * Improve portability of shell scripts used by broctl. (Daniel
    Thayer)

  * Fix for setting REPO in Makefile. (Robin Sommer)

1.2-beta | 2013-09-23 20:30:31 -0700

  * Update 'make dist' target. (Jon Siwek)

  * Fix problem with the "broargs" options that would occur when a
    command-line argument in broargs contained a space. (Daniel
    Thayer)

  * Change submodules to fixed URL. (Jon Siwek)

1.1-190 | 2013-09-20 14:26:41 -0700

  * Add more links in BroControl documentation. (Daniel Thayer)

1.1-188 | 2013-09-18 14:46:10 -0700

  * Add tests for new BroControl features (CPU pinning, PF_RING
    multiple cluster IDs, "env_vars") (Daniel Thayer)

  * Fix link to git repo to be consistent with other links. (Daniel
    Thayer)

  * Fix broken doc links. (Jon Siwek)

1.1-182 | 2013-08-27 13:32:35 -0700

  * Improve CPU pinning documentation and error message. Addresses
    BIT-1068 (Daniel Thayer)

  * Switching to relative submodule paths. (Robin Sommer)

  * Documentation fixes. (Daniel Thayer)

  * Minor fixes for broctl tests. (Daniel Thayer)

  * Fix bug with usage of cmd_restart_pre method. (Daniel Thayer)

  * Remove unused subdirectory "spool/scripts". (Daniel Thayer)

  * Remove unused imports, variables, and semicolons. (Daniel Thayer)

1.1-171 | 2013-08-16 15:36:14 -0700

  * Changed and document the behavior of the SitePolicyPath broctl
    option to not clobber existing files/directories when copying, in
    order to match the expected behavior (directories earlier in the
    list take precedence over directories later in the list when
    duplicate filenames are encountered). Addresses BIT-714. (Daniel
    Thayer)

  * A series of changes to make broctl return useful exit codes. (Vlad
    Grigorescu, Daniel Thayer).

    Generally, broctl now returns 0 if everything went ok with regards
    to what the documentation says should have happened, and 1
    otherwise. We keep the following exceptions for now though:

        - "cron" always returns 0.
        - "status" and "top" return 0 if all bro nodes are
          running, and returns 1 otherwise.
        - commands provides by plugins always return 0.

1.1-158 | 2013-08-02 17:06:57 -0700

  * Add ability to set environment variables in node.cfg and
    broctl.cfg via new "env_vars" options taking a comma-separated
    list (e.g., "env_vars=VAR1=1,VAR2=2"). Variables in node.cfg take
    prioroty over broctl.cfg. Addresses BIT-1010. (Daniel Thayer)

1.1-150 | 2013-07-14 08:00:44 -0700

  * Fix broken link in README. (Johanna Amann, thanks kraigu)

1.1-148 | 2013-07-03 17:06:44 -0700

  * Updates to test infrastructure. (Daniel Thayer)

    - Fix canonifier script for handling missing gdb.
    - Update baselines for recent changes to crash-diag.
    - Remove "make quick" from the README.
    - Minor cleanup of the build script.
    - Remove unused Makefile variable.
    - Remove the "-j" option to make as it can cause lock-ups on
      some machines.
    - Replace realpath command with more portable Python equivalent.

1.1-140 | 2013-06-07 16:35:08 -0700

  * Adding OS to crash output. (Robin Sommer)

  * Giving the broctl test suite its own build directory. (Robin Sommer)

1.1-137 | 2013-05-31 17:16:14 -0700

  * New regression test suite for BroControl. "make test" runs it. See
    testing/README for more information. (Daniel Thayer)

1.1-101 | 2013-05-24 17:55:41 -0700

  * Add support for CPU pinning. To use CPU pinning, a new per-node
    option "pin_cpus" can be specified in node.cfg, and the OS must be
    either Linux or FreeBSD (if such a node.cfg is used on another OS,
    then the "pin_cpus" option is ignored). Addresses #996. (Daniel
    Thayer)

1.1-99 | 2013-05-24 17:34:44 -0700

  * Allow multiple conn-summary.log files to be processed to avoid
    conflicts when stopping Bro shortly after a log rotation. (Daniel
    Thayer)

  * Prevent deletion of unarchived logs during "broctl stop" when
    archiving takes a while. (Daniel Thayer)

1.1-94 | 2013-05-17 13:29:04 -0700

  * Don't import readline, it's loaded implicitly already. (Daniel
    Thayer)

1.1-92 | 2013-05-17 07:37:13 -0700

  * Removing uncessary directory check. (Robin Sommer)

1.1-91 | 2013-05-16 20:25:00 -0700

  * Stop trying to create the stats/www directory if it already
    exists. Addresses #1007. (Seth Hall)

  * Another batch of fixes. (Daniel Thayer)

    This includes:

    - Fix usage of PF_RING interface containing semicolons.
    - Fix broctl exec command to check for errors.
    - Fix a race condition during broctl start.
    - Remove some dead code.
    - Fix exit status output in debug log.

  * Add support for the "--scriptdir" configure option. Adresses
    #993. (Daniel Thayer)

1.1-79 | 2013-05-10 19:39:55 -0700

  * A set of bug fixes and robustness improvements. (Daniel Thayer)

    This includes:

    - Add more error checking and reporting to cron command.
    - Improve error checking of top helper output.
    - Improve error checking of capstats output.
    - Fix a bug when the time command is not found.
    - Fix the broctl top and cron commands on OS X.
    - Fix a couple of bugs in the broctl ps plugin.
    - Remove unused broctl scripts.
    - Improve the check-pid helper script.

1.1-63 | 2013-04-25 16:14:51 -0400

  * Add support for multiple PF_RING cluster IDs

    Instead of assigning the same PF_RING cluster ID to every worker
    in a Bro cluster, the pf_ring broctl plugin has been modified to
    automatically assign a different PF_RING cluster ID for each se
    of workers on a host that all sniff the same interface.  The firs
    such set of workers on a host are assigned the globally-configured
    PF_RING cluster ID (this is the "pfringclusterid" broctl option in
    broctl.cfg).  Each subsequent set of workers on a host that sniff
    another interface are assigned a different value (incremented by
    one from previous value). Addresses #943. (Daniel Thayer)

1.1-61 | 2013-03-22 12:25:22 -0700

  * Fix problem with the cron command hanging sometimes. Addresses
    #591. (Seth Hall)

1.1-59 | 2013-03-17 13:36:04 -0700

  * Lots of small fixes, cleanup, and documentation improvemets (in
    particular, but not only, to the plugin API). (Daniel Thayer).

    This includes:

        - Check for plugins with same prefix
        - Prevent capstats from being run with invalid args
        - Fix plugin inconsistency for certain broctl commands
        - Document the broctl user option KeepLogs?
        - Add a note in documentation about editing crontab
        - Fix broctl plugin option names to be case-insensitive
        - Remove reserved word "cluster" from node args
        - Fix documentation of broctl commands
        - Add calls to plugin cmd_restart_pre/post methods
        - Fix instructions for adding plugin directories
        - Fix the broctl check command to report results
        - Fix handling of cmd_diag_pre for diag command
        - Changed return value of plugin API "execute" method
        - Add return value to some cmd_<cmd>_pre methods
        - Add a check for state variables in broctl.cfg
        - Changed "hosts" method to return list of hosts
        - Call "done" method from plugin API
        - Call hostStatusChanged with correct arg type
        - Fix the parseNodes method in plugin API
        - Fix the "error" method in broctl plugin API
        - Fixed tab-completion of commands with node args
        - Fix broctl plugin API documentation errors
        - Fix typos in TestPlugin? output messages
        - Add cron "--no-watch" option to broctl "help" output
        - Fix the "execute" method of the Plugin class
        - Fix various bugs and remove some unused code

1.1-26 | 2012-12-20 17:53:52 -0800

  * Add Bro version to crash reports. (Robin Sommer)

  * Add a new broctl option "MailConnectionSummary" that specifies
    whether or not to mail the connection summary reports.  (Daniel
    Thayer)

1.1-23 | 2012-12-06 15:52:20 -0800

  * Update documentation for recent MailFrom change. (Daniel Thayer)

1.1-21 | 2012-12-06 08:34:14 -0800

  * MailFrom broctl.cfg option now adds a redef for Notice::mail_from.
    (Jon Siwek)

  * Bump CPack RPM package requirement to python >= 2.6.0. (Jon Siwek)

1.1-18 | 2012-10-31 14:24:27 -0700

  * Add new broctl.cfg option "MailAlarmsInterval" to allow user to
    specify alarm mail interval. Default is once per day. (Daniel
    Thayer)

1.1-12 | 2012-10-24 15:53:48 -0700

    * Add a message at the top of broctl-generated crash report emails
      that explains how to submit the crash report to a mailing list
      address. Addresses #876. (Daniel Thayer)

1.1-10 | 2012-10-19 15:10:20 -0700

  * Fix `broctl install` to now also copy subdirs in SitePolicyPath.
    Addresses #902. (Jon Siwek)

1.1-8 | 2012-10-19 14:52:23 -0700

  * Add options CompressCmd and CompressExtension to customize log
    compressions scheme. (Justin Azoff)

1.1-3 | 2012-09-25 06:23:34 -0700

  * Updates to documentation. (Daniel Thayer)

1.1 | 2012-08-24 15:09:04 -0700

  * Fix MailAlarmsTo broctl config option. Addresses #814. (Daniel
    Thayer)

  * Fix configure script to exit with non-zero status on error. (Jon
    Siwek)

1.1-beta-2 | 2012-08-10 12:29:56 -0700

  * Updates to disable STDERR printing from the reporter framework.
    (Seth Hall)

1.1-beta | 2012-07-20 07:03:21 -0700

  * Fix broctl startup when using custom config file dirs. (Jon Siwek)

  * Change crash report info to include stack traces from all threads.
    (Jon Siwek)

  * Changed the invocation of gdb that produces the crash report. (Jon
    Siwek)

1.0-64 | 2012-07-10 16:07:50 -0700

  * Remove automatic override of config file directory with /usr prefix.

  * Small updates to BroControl docs. (Daniel Thayer)

1.0-58 | 2012-07-02 15:55:06 -0700

  * Improvements to built-in load-balancing support. Instead of adding
    a separate worker entry in node.cfg for each Bro worker process on
    each worker host, it is now possible to just specify the number of
    worker processes on each host. (Daniel Thayer)

    This change adds three new keywords to the node.cfg file (to be
    used with worker entries): lb_procs (specifies number of workers
    on a host), lb_method (specifies what type of load balancing to
    use: pf_ring, myricom, or interfaces), and lb_interfaces (used
    only with "lb_method=interfaces" to specify which interfaces to
    load-balance on).

    Two new broctl plugins (which operate automatically and the user
    doesn't need to be aware of them) are added to set the appropriate
    environment variables when either PF_RING or myricom
    load-balancing is being used.

1.0-43 | 2012-07-02 15:40:01 -0700

  * Improve README. Rewrote the section on site-specific customization
    so that it is more clear about the load order of scripts relevant
    to site-specific customization.  Removed the description of
    several features that don't seem to work: "worker-1.local.bro" is
    not automatically loaded, there is no example policy in
    local-manager.bro, local-manager.bro and local-worker.bro do not
    automatically load local.bro, and proxies do not automatically
    load local-worker.bro. (Daniel Thayer)

1.0-40 | 2012-06-06 11:52:06 -0700

    * Fix the "cron disable" command, which didn't work. This also
      removes the config option CronEnabled. The command is now the
      only way to turn off cron operation. (Daniel Thayer)

1.0-38 | 2012-05-24 17:42:37 -0700

  * Improvements to IPv6 support. (Jon Siwek)

    - Add ability to manage a cluster over non-global IPv6 scope (e.g.
      link-local), by specifying "zone_id" keys per node in node.cfg
      and "ZoneID" option in broctl.cfg.

    - Replace socket.gethostbyname lookups with socket.getaddrinfo to
      support IPv6.

    - ::1 is now recognized as the IPv6 loopback and a "local" address
      where before 127.0.0.1 was expected.

    - Update usages of ping, ssh, rsync, and ifconfig to work with IPv6
      addresses.

    - New "IPv6Comm" option in broctl.cfg can be set to 0 to turn off
      IPv6-based communication capabilities (on by default).

1.0-35 | 2012-05-17 11:57:30 -0700

  * BroControl tweaks to support non-ASCII logs. (Robin)

        - The main change is that we give another argument to
          post-processors that indicates the writer type that produced
          the log. That comes with an incompatible part: the
          make-archive-name script now receives the writer as its
          2nd(!) argument. Customized versions need be adapted.

        - The standard postprocessors now check whether they are
          processing something else than ASCII logs and adapt their
          behaviour accordingly (e.g., by not compressing, and or not
          running trace-summary).

1.0-32 | 2012-05-14 17:20:17 -0700

  * Fix typos in broctl docs. (Daniel Thayer)

1.0-29 | 2012-05-03 11:34:29 -0700

  * Added an option to specify 'etc' directory. Addresses #801.
    (Daniel Thayer)

  * Fix typos. (Daniel Thayer)

1.0-24 | 2012-04-24 14:37:49 -0700

  * Update some broctl option descriptions. (Daniel Thayer)

1.0-22 | 2012-04-19 09:52:44 -0700

  * Options SitePolicyStandalone, SitePolicyManager, and
    SitePolicyWorker were unused. Now they are, and they replace the
    hard-coded defaults if defined. Addresses #797. (Daniel Thayer)

1.0-20 | 2012-04-19 09:08:32 -0700

  * Remove unused broctl options and fixed a couple of typos in the
    option names. (Daniel Thayer)

1.0-17 | 2012-04-16 18:06:28 -0700

  * Fixed lots of documentation typos and broken links. (Daniel
    Thayer)

  * Update broctl help information. (Daniel Thayer)


1.0-13 | 2012-04-09 15:59:17 -0700

  * Remove "-p" option from broctl "scripts" command help. (Daniel
    Thayer)

  * Updating helper script to work with conn.log in Bro 2.0. (Daniel
    Thayer)


1.0-9 | 2012-03-28 15:46:02 -0700

  * Improve error message when failing to update broctl-config.sh
    symlink (Jon Siwek)

  * Raise minimum required CMake version to 2.6.3. (Jon Siwek)

  * Remove the unused "PolicyDirBroCtl" option. (Daniel Thayer)

  * Rename the spool/policy directory so it is less visible. Addresses
    #767. (Daniel Thayer)

1.0 | 2012-01-10 18:57:50 -0800

  * Tweaks for OpenBSD support. (Jon Siwek)

0.5-beta-43 | 2012-01-03 14:45:40 -0800

  * broctl now creates spool directories it finds missing. Addresses
    #716. (Edward Groenendaal)

0.5-beta-39 | 2011-12-16 02:49:28 -0800

  * Add StopTimeout option to broctl.cfg that sets the number of
    seconds to wait after issuing the 'stop' command before sending a
    SIGKILL to Bro instances. Adresses #608. (Jon Siwek)

  * Add CommTimeout option to broctl.cfg that sets the number of
    seconds to timeout Broccoli connnections. Addresses #608. (Jon
    Siwek)

  * Re-order the way local.bro and local-<node>.bro scripts are
    loaded. Node-specific local scripts now load after local.bro so
    tha identifiers defined by the loading of local.bro can be used in
    them. Addresses #663 (Jon Siwek)

0.5-beta-34 | 2011-12-02 17:17:14 -0800

  * Make BroControl more robust when a node dies. (Robin Sommer)

  * Disable collecting of prof.logs. The logs can get huge, which lets
    cron take a while. (Robin Sommer)

  * Fix standalone->cluster upgrade failing to update logs/current
    symlink. Fixes #676. (Jon Siwek)

  * Fix broctl 'scripts' command in cluster mode. Fixes #655. (Jon
    Siwek)

  * Teach 'check' command to generate temporary versions of autogen.
    files. Addresses #658. (Jon Siwek)

  * Submodule README conformity changes. (Jon Siwek)

0.5-beta-20 | 2011-11-14 20:04:21 -0800

  * Fixing some platforms behaving poorly during configure-time checks
    when a superproject's languages didn't encompass a subproject's.
    (Jon Siwek)

  * Configure sendmail option in options.py instead of broctl.cfg.
    Fixed #645. (Jon Siwek)

  * Fix extraneous installation of BroControl plugins. (Jon Siwek)

  * Apply patch for BroControl Python 2.3/2.4 compatibility. Closes
    #662. (William Jones)

  * Avoid rerunning the previous command when hitting just enter in
    broctl. (Justin Azoff)

0.5-beta-12 | 2011-11-06 19:23:43 -0800

  * broctl.cfg now determines sendmail location at configure-time.
    Addreses #645 (Jon Siwek)

  * Disable log expiration by default. Addresses #613. (Jon Siwek)

  * Make symlink to broctl-config.sh update with `broctl install`.
    Addresses #648 (Jon Siwek)

  * Fixed a problem when host= in standalone is not 127.0.0.1 or
    localhost. (Seth Hall)

0.5-beta | 2011-10-27 17:45:15 -0700

  * Updating submodule(s). (Robin Sommer)

0.41-143 | 2011-10-26 10:15:16 -0500

  * Update submodules. (Jon Siwek)

0.41-142 | 2011-10-25 20:17:25 -0700

  * Updating submodule(s). (Robin Sommer)

0.41-137 | 2011-10-25 15:44:18 -0700

  * Updating CHANGES and VERSION. (Robin Sommer)

  * Make dist now cleans the copied source. (Jon Siwek)

0.41-130 | 2011-10-18 08:03:35 -0700

  * Distribution cleanup and some README fixes. (Robin Sommer)

  * Fixed a bug caused by communication framework API update. Reported
    by Daniel. (Seth Hall)

0.41-128 | 2011-10-06 17:23:03 -0700

  * Change broctl.cfg LogRotationInterval to be specificed in seconds. (Jon Siwek)

  * Force broctl 'process' command to enable local logging. Addresses
    #632 (Jon Siwek)

0.41-124 | 2011-10-05 16:58:10 -0700

   * New broctl.cfg option for log rotation interval. Addresses #630.
     (Jon Siwek)

   * Removed some of the broct/nodes/* scripts and instead
     consolidated their functionality into the node-specific scripts
     that come with Bro's cluster framework. (Jon Siwek)

   * Within the cluster framework, local-<node>.bro scripts should now
     be loaded after the distributions <node>.bro script so things can
     be overrided. (Jon Siwek)

   * Auto-generated broctl scripts are loaded after all node-specific
     scripts and can override their options. (Jon Siwek)

  * Move configuration of PFRINGClusterID from broctl.cfg.in to
    options.py. Addresses #621. (Jon Siwek)

  * Add configure-time check for libpcap PF_RING support. Addresses
    #621 (Jon Siwek)

  * Fixing typo with process command. (Robin Sommer)

  * Script cleanup.  (Seth Hall)

    - Reshuffling "check" functionality into check.bro.

    - Removing some code to deal with the non-existent react framework.

  * Give check command its own script for tuning options. Addresses
    #618). (Jon Siwek)

  * Stop and restart command now stop worker nodes first. Addresses
    #596. (Jon Siwek)

  * broctl check no longer rotates logs. Addresses #618. (Jon Siwek)

0.41-101 | 2011-09-08 02:20:28 -0400

  * Implementing PF_RING environment variables. (Seth Hall)

0.41-99 | 2011-09-04 09:08:59 -0700

  * Added --with-pcap configure option. (Jon Siwek)

  * Various smaller tweaks to CMake setup. (Jon Siwek)

  * Removed alarm log mailing postprocessing script from BroControl.
    (Jon Siwek)

  * Log rotation is disabled when using the 'process' command to
    analyze trace files. (Jon Siwek)

  * Fixed 'scripts' command. (Jon Siwek)

  * Fixed inconsistent rotated-log naming. (Jon Siwek)

  * Changed the 'mail-log' postprocessor to mail alarm.log's. (Jon
    Siwek)

  * Fix Config.state key capitalization inconsistencies. (Jon Siwek)

  * Fixes for broctl 'check' command. Addresses #548. (Seth Hall and
    Jon Siwek)

  * Updated README. (Jon Siwek)

  * Copy bro binary only in NFS mode (fixes #361). (Jon Siwek)

  * Fix install command failing because of missing parent dirs. (Jon Siwek)

  * Removing the analysis.dat file since it's not used anymore. (Seth Hall)

  * Better informational output if attempt to remove old scripts
    before installing new ones failes. Addresses #470. (Craig Leres)

  * Updating log rotation support for the new logging rotation code.
    (Seth Hall)

  * Updates for cleanup and meshing with Bro reorg. (Seth Hall)

0.41-73 | 2011-08-13 12:14:28 -0700

  * Moving README*. into subdir doc. The top-level README is now
    auto-generated. (Robin Sommer)

0.41-68 | 2011-08-05 12:49:30 -0700

  * Install example config files dynamically when the distribution
    version differs from existing version on disk. (Jon Siwek)

0.41-63 | 2011-08-03 22:10:40 -0700

  * Revamped how the work is split between Bro and BroControl. Much of
    functionality previously found in BroControl policy scripts has
    moved over to Bro. (Seth Hall)

  * Adapted BroControl to Bro 2.0 policy scripts.

  * A new plugin interface allows external Python code to hook into
    BroControl processing. See README for more information. (Robin
    Sommer)

    Two example plugins are shipped: (1) "ps.bro" shows all Bro
    processes currently running on any cluster node, even if not
    managed by BroControl; (2) "TestPlugin" is a demo plugin
    demonstrating all the functionality a plugin can use (but doesn't
    do anything sensible with it).

  * A new offline mode for processing a trace. The new command
    "process <trace>" runs Bro offline on the given trace, using the
    current BroControl configuration. One can optionally give give
    further Bro command line options and scripts. In cluster mode the
    the Bro process loads both manager and worker configurations
    simultaniously.

    Addresses #273. (Robin Sommer)

  * Removed the "analysis" command. (Seth Hall)

  * Installation does no longer differentiate between standalone and
    cluster mode. node.cfg now fully controls this. (Seth Hall)

  * Tons of little fixes, improvements, and polishing (Seth Hall, Jon
    Siwek, and Robin Sommer)

0.41-9 | 2011-06-01 11:35:36 -0700

  * Standardize shell script hashbang on install. (Jon Siwek)

  * Fix binary package broctl-config.sh symlink installation
    regression. (Jon Siwek)

  * Changes to allow DEB packaging via CPack, addresses #458. (Jon Siwek)

  * Fixed a problem with the "update" command, which could delete data
    from many global state tables unintentionally. (Seth Hall)

0.41-2 | 2011-05-02 11:29:07 -0700

  * Symlink install scripted at install time for CMake 2.6
    compatibility. (Jon Siwek)

0.41 | 2011-04-07 21:14:53 -0700

  * Tweaks to the documentation generation. (Robin Sommer)

  * CMake tweaks. (Jon Siwek)

  * Bugfix: trace-summary sampled in standalone mode rather than cluster
    mode. (Robin Sommer)

  * Bugfix: Creating links from the log directory to the current log files
    didn't work in standalone mode. (Robin Sommer)

0.4-19 | 2011-01-31 15:26:48 -0800

  * A new option CompressLogs (default on), indicating whether
    archived logs are to be gzipped. (Robin Sommer)

  * A lot of configure/cmake/install/package tuning. (Jon Siwek)

  * Adding /sbin and /usr/sbin to path local-interfaces script
    searches for ifconfig. Closes #293. (Robin Sommer)

  * Fixing uncaught exception in lock file handling. (Seth Hall).

  * Making cluster event specifications redefinable. (Seth Hall).

  * Fixing for pretty printing numerical values. (Seth Hall).

  * Fixing "netstats" command distinction between cluster and
    standalone mode. (Justin Azoff)

0.4-10 | 2011-01-15 14:14:05 -0800

  * Changes for CPack binary packaging (Jon Siwek)

  * Fix package configuration macro returning from sub-project too early (Jon Siwek)

  * Add warning when building and installing are done by different users (Jon Siwek)

  * Changes to broctl's "make install" process (Jon Siwek)

    - Simplify install by not compiling python code.
    - The broctl-config.sh symlink needs to be made at configure time
      and install()'ed in order for CPack packaging to correctly bundle it
    - Reverted a change in (90ddc4d) to that caused spool/ and logs/
      directories to not be installed in the case that they existed at
      configure time.

  * Fix for PackageMaker not accepting non-numeric versions (Jon Siwek)

0.4-9 | 2011-01-12 08:51:11 -0800

  * Making df portably deal with long lines in the OS's df output.
    (Robin Sommer)

0.4-8 | 2011-01-04 20:30:41 -0800

  * Changing some installation paths. "broctl install" copied a
    number of files to share/bro/*, which violates the common
    assumption that things there are static. It can also create
    permission problems if the user running "broctl install" is not
    the one installing Bro. So now the pieces copied/generated by
    "broctl install" are moved to spool/*. (Robin Sommer)

  * The CMake install does no longer recreate some of the top-level
    directories when they already exist. That makes it possible to
    now symlink them somewhere else after the first install. (Robin
    Sommer)

  * When broctl doesn't find spool/broctl.dat it no longer aborts
    but just warns. That allows CMake to skip installing an empty
    one. (Robin Sommer)

  * Deleting an unused policy file. (Robin Sommer)

  * Updating update-changes script. (Robin Sommer)

0.4-5 | 2010-12-20 14:10:25 -0800 | 768a9e550c3554de2e0bf9e3af2ae99400203046

  * New helper script for maintaing CHANGES file. (Robin Sommer)

0.4-1 | 2010-12-20 12:03:34 -0800 | a05be1242b4e06dca1bb1a38ed871e7e2d78181b

  * Fix for dealing with large vsize values reported by "top" (Craig
    Leres)

  * Fixed the top helper script to assign the command variable
    appropriately. (Seth Hall)

  * Escape commands given to CMake's execute_process (Jon Siwek)

0.4 | Fri Dec 10 01:35:36 2010 -0800 | df922e8a64a631aadb485b5044fe9ae1046d47ca

- Moving BroControl to its own git repository.

- Converting README to reST format.

- Renamed "Capstats" config option to "CapstatsPath".

- Merge with Subversion repository as of r7098. Incorporated changes:

  o Increasing default timeouts for scan detector significantly.

  o Increasing the manager's max_remote_events_processed to
    something large, as it would slow down the process too much
    otherwise and there's no other work to be interleaved with it
    anyway.

  o Adding debug output to cluster's part of catch-and-release
    (extends the debugging already present in policy/debug.bro)

  o Fixing typo in util.py. Closes #223.

  o Added note to README pointing to HTML version.

  o Disabling print_hook for proxies' remote.log.

  o broctl's capstats now reports a total as well, and stats.log
    tracks these totals. Closes #160.

  o Avoiding spurious "waiting for lock" messages in cron mode.
    Closes #206.

  o Bug fixes for installation on NFS.

  o Bug fix for top command on FreeBSD 8.

  o crash-diag now checks whether gdb is available.

  o trace-summary reports the sample factor in use in its output,
    and now also applies it to the top-local-networks output (not
    doing the latter was a bug).

  o Removed the default twice-a-day rotation for conn.log. The
    default rotation for conn.log now is now once every 24h, just
    like for all other logs with the exception of mail.log (which is
    still rotated twice a day, and thus the alarms are still mailed
    out twice a day).

  o Fixed the problem of logs sometimes being filed into the wrong
    directory (see the (now gone) FAQ entry in the README).

  o One can now customize the archive naming scheme. See the
    corresponding FAQ entry in the README.

  o Cleaned up, and extended, collection of cluster statistics.

    ${logdir}/stats now looks like this:

      drwxr-xr-x   4 bro  wheel      59392 Apr  5 17:55 .
      drwxr-xr-x  96 bro  wheel       2560 Apr  6 12:00 ..
      -rw-r--r--   1 bro  wheel        576 Apr  6 16:40 meta.dat
      drwxr-xr-x   2 bro  wheel       2048 Apr  6 16:40 profiling
      -rw-r--r--   1 bro  wheel  771834825 Apr  6 16:40 stats.log
      drwxr-xr-x   2 bro  wheel       2048 Apr  6 16:25 www

    stats.log accumulates cluster statistics collected every time
    "cron" is called.

    - profiling/ keeps the nodes' prof.logs.

    - www/ keeps a subset of stats.log in CSV format for easy plotting.

    - meta.dat contains meta information about the current cluster
    state (in particular which nodes we have, and when the last
    stats update was done).

    Note that there is not Web setup yet to actually plot the data
    in www/.

  o BroControl now automatically maintains links inside today's log
    archive directory pointing to the current live version of the
    corresponding log file (if Bro is running). For example:

    smtp.log.11:52:18-current -> /usr/local/cluster/spool/manager/smtp.log

  o Alarms mailed out by BroControl now (1) have the notice msg in the
    subject; and (2) come with the full mail.log entry in the body.
