Support Questions
Find answers, ask questions, and share your expertise

metron-bro-plugin-kafka is not producing anything even though bro is generating logs

New Contributor

New Metron user. I set up a beefy box as a single node instance of Metron for learning purposes mostly following the instructions at with the primary exception that I installed the latest Bro release (2.5.3) from rpms before realizing that I needed the source for building the Kafka plugin so I built Bro from source, symlinked /opt/bro to /usr/local/bro, then built and installed the Kafka plugin. The end of my local.bro looks like:

redef Kafka::logs_to_send = set(Conn::LOG);

redef Kafka::topic_name = "bro";

redef Kafka::tag_json = T;

redef Kafka::kafka_conf = table( [""] = "" );

I know its picking this up because I was getting errors about misconfigurations here, such as when I forgot to change the IP address from the placeholder, and now bro starts without error. I send traffic to bro via tcp-replay, and I see that is working because I am getting the expected logs in /usr/local/bro/logs/current, such as conn.log . Before doing that I set up a Kafka cli consumer:

[root@ip-172-31-38-75 ~]# /usr/hdp/ --zookeeper localhost:2181 --topic bro

{,,, security.protocol=PLAINTEXT}

I would expect to get spammed by conn logs on that consumer, but... nothing.

Any thoughts on where I went wrong or how I can go about debugging this?





how exactly are you starting bro? I was doing bro -i eth0 & . and nothing got posted to kafka. I changed it to

bro -i eth0 /usr/local/bro/share/bro/site/local.bro & . and the messages started appearing in kafka

New Contributor

Hi Terry, do you figure out this, I have the same problem.

Hi terry, i am facing same issue, i can see logs generated by bro, but it is not pushing anything to kafka topic, can you please share how you solved this.


If i guess it right the issue is with rdkafka, it bonds with kafka on port 9092 but in case of hortonworks, kafka listens on port 6667 all you have to do, redefine your kafka port in your bro script and redeploy bro with broctl.

#Write this below the @load statements in your bro script. This will override your rdkafka config and you can see your logs emitting to kafka topic.

 redef Kafka::topic_name = "bro-kafka-topic";
redef Kafka::tag_json = T;
redef Kafka::kafka_conf = table(
    [""] = "localhost:6667",
    [""] = "bro"