[Bro] Just installed bro cluster
William L. Jones
jones at tacc.utexas.edu
Fri Jun 19 10:50:46 PDT 2009
The worker node is on an amd system with 4 cores running linux, it is just a starter system made from spare part and will be expanded at some future date to a full bro cluster with maniple work machines. It has two dual port 10 GigE interfaces.
Here are few thing that I think need a little work in the bro cluster setup.
* The interface definition needs to allow multiple interfaces to be specified. In my the output of a tap is feed in a dual port 10 GigE card so I have to have bro read from two network interfaces. Right now you can work around the problem by just adding -I <second interface> on the node interface configuration line but I think it deserves a more formal solution.
* One of my 10 GigE circuits has 3 vlans on it which show up as 6 interfaces. With the non cluster version of bro I just ran with 3 different configuration files and kept logs and reports in three separate directories. One important side affect was that it allowed 3 separate instances of bro so that the system could spread the load across multiple cpus instead of one. With bro cluster I could not run 3 bro works on one machine due to the way the works and server talk to each other. I think it would be an important enhancements to bro cluster to allow multiple bro work instances on the same machine.
More information about the Bro