[Bro] Running a Bro cluster diskless?

Schoenefeld, Keith P. Keith_Schoenefeld at baylor.edu
Mon Apr 11 12:59:59 PDT 2011


With some guidance from Seth, Baylor is jumping into Bro in a 'timidly aggressive' (should I trademark that?) fashion.  We are currently working to build a Bro cluster that can analyze up to 2Gb/s of traffic.  We'll have about 900Mb/s of capacity once the upgrades to our exit are complete, with our real aggregate traffic measuring significantly below the 1.8Gb/s maximum.

We have purchased six systems and a switch: one front end system to run Click!, four worker systems, and a manager system.  A private network will be used between the frontend system and the workers and another will be used between the workers and the management system.

I have a history with running diskless HPC systems leveraging JessWulf [1], and hope/plan to do the same with our Bro configuration.  Simply put, JessWulf is an RPM based toolkit/guide for running RPM based Linux distributions in a master/node cluster environment, where all nodes are diskless.  

I hope to use the 'manager' server as the master and the worker server as the nodes in a JessWulf cluster to ease configuration and management.  I will certainly have some small local ramdisk as well as local hard drives for non-persistent scratch space as needed.

Now, for the question(s):

Does anyone have experience running Bro diskless like this already?  What are the common problems unique to this configuration, where will I likely want to leverage the local scratch space, and is this absolutely the wrong way to run a Bro cluster?

Thanks for any help,

-- KS

[1] - https://wiki.uis.georgetown.edu/display/CCF/JessWulf+-+A+Diskless+Beowulf+Cluster+Toolkit

Keith Schoenefeld
Information Security Analyst
Baylor University

More information about the Bro mailing list