[Bro] Netstats Error

Will baxterw3232 at gmail.com
Sat Jan 14 19:05:18 PST 2012


All,

Saw a similar issue discussed here:
http://permalink.gmane.org/gmane.comp.security.detection.bro/4055, but
I am not using pf_ring to load balance and this was working for me not
long ago while running beta. I am thinking maybe a permissions issue?

[localhost]$ sudo broctl netstats
  worker-1: <error: cannot connect to 192.168.0.5:47763>
  worker-2: <error: cannot connect to 192.168.0.5:47764>
  worker-3: <error: cannot connect to 192.168.0.5:47765>
  worker-4: <error: cannot connect to 192.168.0.5:47766>
  worker-5: <error: cannot connect to 192.168.0.5:47767>
  worker-6: <error: cannot connect to 192.168.0.5:47768>
  worker-7: <error: cannot connect to 192.168.0.5:47769>
  worker-8: <error: cannot connect to 192.168.0.5:47770>

Everything seems to be running like it should though: (Except the ???'s)

[localhost]$ sudo broctl status
Name       Type       Host       Status        Pid    Peers  Started
manager    manager    192.168.0.5 running       19387  9      14 Jan 20:33:07
proxy-1    proxy      192.168.0.5 running       19423  ???    14 Jan 20:33:09
worker-1   worker     192.168.0.5 running       20539  ???    14 Jan 20:33:11
worker-2   worker     192.168.0.5 running       20541  ???    14 Jan 20:33:11
worker-3   worker     192.168.0.5 running       20546  ???    14 Jan 20:33:11
worker-4   worker     192.168.0.5 running       20549  ???    14 Jan 20:33:11
worker-5   worker     192.168.0.5 running       20552  ???    14 Jan 20:33:11
worker-6   worker     192.168.0.5 running       20556  ???    14 Jan 20:33:11
worker-7   worker     192.168.0.5 running       20558  ???    14 Jan 20:33:11
worker-8   worker     192.168.0.5 running       20560  ???    14 Jan 20:33:11

[localhost]$ sudo broctl capstats
Interface            kpps       mbps       (10s average)
------------------------------
192.168.0.5/eth10 2.1        10.6
192.168.0.5/eth11 1.9        8.6
192.168.0.5/eth4  1.7        6.3
192.168.0.5/eth5  1.8        8.3
192.168.0.5/eth6  2.5        9.0
192.168.0.5/eth7  1.2        4.3
192.168.0.5/eth8  1.8        7.8
192.168.0.5/eth9  2.3        11.1
Total                15.3       66.0

Also, I am wondering what kind of issues I might run into managing
several geographically disparate clusters from a single manager.
Currently, I have each setup as a separate bro cluster. I am most
concerned about the amount of traffic and possible congestion this
might cause. Is there a way to measure the amount of traffic between
the workers and manager if all are on the same server?  Would there be
major drawbacks by having the manager on a remote server, like
potential delayed or dropped communications?

Thanks in advance for the feedback.

-Will


More information about the Bro mailing list