[Bro] Netstats Error

Will baxterw3232 at gmail.com
Sat Jan 14 19:05:18 PST 2012


Saw a similar issue discussed here:
http://permalink.gmane.org/gmane.comp.security.detection.bro/4055, but
I am not using pf_ring to load balance and this was working for me not
long ago while running beta. I am thinking maybe a permissions issue?

[localhost]$ sudo broctl netstats
  worker-1: <error: cannot connect to>
  worker-2: <error: cannot connect to>
  worker-3: <error: cannot connect to>
  worker-4: <error: cannot connect to>
  worker-5: <error: cannot connect to>
  worker-6: <error: cannot connect to>
  worker-7: <error: cannot connect to>
  worker-8: <error: cannot connect to>

Everything seems to be running like it should though: (Except the ???'s)

[localhost]$ sudo broctl status
Name       Type       Host       Status        Pid    Peers  Started
manager    manager running       19387  9      14 Jan 20:33:07
proxy-1    proxy running       19423  ???    14 Jan 20:33:09
worker-1   worker running       20539  ???    14 Jan 20:33:11
worker-2   worker running       20541  ???    14 Jan 20:33:11
worker-3   worker running       20546  ???    14 Jan 20:33:11
worker-4   worker running       20549  ???    14 Jan 20:33:11
worker-5   worker running       20552  ???    14 Jan 20:33:11
worker-6   worker running       20556  ???    14 Jan 20:33:11
worker-7   worker running       20558  ???    14 Jan 20:33:11
worker-8   worker running       20560  ???    14 Jan 20:33:11

[localhost]$ sudo broctl capstats
Interface            kpps       mbps       (10s average)
------------------------------ 2.1        10.6 1.9        8.6  1.7        6.3  1.8        8.3  2.5        9.0  1.2        4.3  1.8        7.8  2.3        11.1
Total                15.3       66.0

Also, I am wondering what kind of issues I might run into managing
several geographically disparate clusters from a single manager.
Currently, I have each setup as a separate bro cluster. I am most
concerned about the amount of traffic and possible congestion this
might cause. Is there a way to measure the amount of traffic between
the workers and manager if all are on the same server?  Would there be
major drawbacks by having the manager on a remote server, like
potential delayed or dropped communications?

Thanks in advance for the feedback.


More information about the Bro mailing list