Looking at Bro stderr.log and saw the following


#1

[root@cs-hog-lmssc01 logger]# cat stderr.log
internal warning in /usr/lib64/bro/plugins/APACHE_KAFKA/scripts/Bro/Kafka/logs-to-kafka.bro, line 1: Discarded extraneous Broxygen comment: Setup Kafka output
loaded_scripts/Log::WRITER_KAFKAWRITER: Debug is turned off.
communication/Log::WRITER_KAFKAWRITER: Debug is turned off.
reporter/Log::WRITER_KAFKAWRITER: Debug is turned off.
stats/Log::WRITER_KAFKAWRITER: Debug is turned off.
weird/Log::WRITER_KAFKAWRITER: Debug is turned off.
conn/Log::WRITER_KAFKAWRITER: Debug is turned off.
%3|1523307444.147|FAIL|rdkafka#producer-1| [thrd:cs-hog-lmssc01.:9092/0]: cs-hog-lmssc01.:9092/0: Receive failed: Disconnected
%3|1523307444.159|ERROR|rdkafka#producer-1| [thrd:cs-hog-lmssc01.:9092/0]: cs-hog-lmssc01.:9092/0: Receive failed: Disconnected
send-mail: SENDMAIL-NOTFOUND not found
%3|1523307743.763|FAIL|rdkafka#producer-2| [thrd:localhost:9092/bootstrap]: localhost:9092/bootstrap: Receive failed: Disconnected
%3|1523307743.763|ERROR|rdkafka#producer-2| [thrd:localhost:9092/bootstrap]: localhost:9092/bootstrap: Receive failed: Disconnected
%3|1523307743.865|FAIL|rdkafka#producer-3| [thrd:cs-hog-lmssc01.:9092/0]: cs-hog-lmssc01.:9092/0: Receive failed: Disconnected
%3|1523307743.865|ERROR|rdkafka#producer-3| [thrd:cs-hog-lmssc01.:9092/0]: cs-hog-lmssc01.:9092/0: Receive failed: Disconnected
capture_loss/Log::WRITER_KAFKAWRITER: Debug is turned off.


#2

What does the output of the kafka log look like?

${log.dir}/kafka-broker-<your_hostname>.log


#3

%3|1523307444.147|FAIL|rdkafka#producer-1| [thrd:cs-hog-lmssc01.:9092/0]: cs-hog-lmssc01.:9092/0: Receive failed: Disconnected

This looks like be was trying to write to Kafka and it failed to connect. Make sure the following shows an open port.

ss -lnt | grep 9092

And ensure that cs-hog-lmssc01 resolves to the IP that the socket is listening on. For example, if the output of ss shows the IP of 127.0.0.1 but the hostname resolves to (via DNS or the hosts file) 10.100.10.5, bro will not connect. They must match.