<div dir="ltr"><div dir="ltr">On Thu, Dec 19, 2019 at 7:18 AM Jorge García Rodríguez <<a href="mailto:JorgeGarcia.1995@outlook.es">JorgeGarcia.1995@outlook.es</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
I have ran bro-doctor as you said and certainly I saw interesting things, for example:</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div id="gmail-m_8854684454924686212Signature">
<div>
<div id="gmail-m_8854684454924686212appendonsend"></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<span>###################################################################<br>
</span>
<div># Checking if connections are unevenly distributed across workers #<br>
</div>
<div>###################################################################<br>
</div>
<div>error: The distribution of connections across workers seems uneven:<br>
</div>
<div>worker-1-5: 462 connections<br>
</div>
<div>worker-1-4: 890 connections<br>
</div>
<div>worker-1-7: 874 connections<br>
</div>
<div><span style="background-color:rgb(255,0,0)">worker-1-6: 4122 connections</span><br>
</div>
<div>worker-1-1: 432 connections<br>
</div>
<div>worker-1-3: 930 connections<br>
</div>
<div>worker-1-2: 907 connections<br>
</div>
<div>worker-1-9: 451 connections<br>
</div>
<div>worker-1-8: 435 connections<br>
</div>
<div>worker-1-10: 497 connections</div></div></div></div></div></blockquote><div><br></div><div>Interesting indeed. If you look at your conn log can you tell anything about all those connections that worker-1-6 is seeing?</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div id="gmail-m_8854684454924686212Signature"><div><div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)"><div><br></div><div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif;background-color:rgb(255,255,255);display:inline">Let me know what do you think about the report.</span></div>
<div><br>
</div>
<div>I have checked about the PF_Ring plugin but it gives me an error, im not sure if im following the last update of this plugin.</div>
<div><a href="https://github.com/ntop/bro-pf_ring" id="gmail-m_8854684454924686212LPlnk597229" target="_blank">https://github.com/ntop/bro-pf_ring</a></div></div></div></div></div></div></blockquote><div><br></div><div>you should be able to zkg install bro-pf_ring.. or install it manually with ./configure && make && sudo make install. are you getting an error when you do that?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div id="gmail-m_8854684454924686212Signature"><div><div style="font-family:Calibri,Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<div>Also doing a further investigation it seems that the script that is overcharguing the cpu is the weird.zeek ¿Is there a way to disable this script?</div></div></div></div></div></blockquote><div><br></div><div>Do you say that because you have a lot of entries in the weird log? that points to traffic issues that need to be fixed... disabling the weird logs will just ignore the problem. What are the top weirds that you are seeing?</div><div><br></div><div> cat /usr/local/zeek/logs/current/weird.log |zeek-cut name|sort|uniq -c|sort -rn</div><div><br></div><div>What did you see as the result from this check?</div><div><br></div><div># Checking if many recent connections have a SAD or had history</div><div><br></div><div> <br></div></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Justin</div></div></div>