[Bro] Possible Bro Cluster communication issue?

Gary Faulkner gary at doit.wisc.edu
Thu Nov 14 20:26:28 PST 2013


Another Bro newbie here. Having an odd issue getting my bro 2.2 
(release) cluster working properly. I have 2 physical hosts. The first 
host is running the manager, proxy, and some workers, and the second 
host is running several workers. After running broctl install and broctl 
start the workers spin up on both hosts, however, the workers on host 2 
don't seem to be reliably reporting back to the master or connecting to 
the proxy.

I confirmed that the processes were running on both hosts and that ssh 
sessions were established between the two hosts, but a broctl status 
only showed peers for workers on the same host as the manager, fewer 
peers than expected for the proxy (about as many as were on host1), and 
broctl netstat didn't return any results for the workers on the second 

At some point the proxy crashed on my first run, and upon restarting 
everything I had the same results minus the proxy crash. Interestingly 
enough broctl capstats did return results for both hosts showing a 
relatively even workload of about 3Gbps each. Also, I didn't find any 
logs other than stderr and stdout on the second host in /bro/log or 
/bro/spool. Any thoughts?


Gary Faulkner
UW Madison
Office of Campus Information Security

