[Bro] Possible Bro Cluster communication issue?

Gary Faulkner gary at doit.wisc.edu
Thu Nov 14 21:20:48 PST 2013

Both hosts are running host based FWs, but disabling them doesn't appear 
to make a difference in the behavior. I can ssh between hosts just fine 
as the bro user with key-based auth and broctl seems to open an ssh 
session per worker between the two hosts that appear stay established 
throughout just fine. Does all the communication happen over those ssh 
sessions or are there other types of connections happening between 
master/proxy and worker?

On 11/14/2013 10:36 PM, Daniel Thayer wrote:
> On 11/14/2013 10:26 PM, Gary Faulkner wrote:
>> Hello,
>> Another Bro newbie here. Having an odd issue getting my bro 2.2
>> (release) cluster working properly. I have 2 physical hosts. The first
>> host is running the manager, proxy, and some workers, and the second
>> host is running several workers. After running broctl install and broctl
>> start the workers spin up on both hosts, however, the workers on host 2
>> don't seem to be reliably reporting back to the master or connecting to
>> the proxy.
>> I confirmed that the processes were running on both hosts and that ssh
>> sessions were established between the two hosts, but a broctl status
>> only showed peers for workers on the same host as the manager, fewer
>> peers than expected for the proxy (about as many as were on host1), and
>> broctl netstat didn't return any results for the workers on the second
>> host.
>> At some point the proxy crashed on my first run, and upon restarting
>> everything I had the same results minus the proxy crash. Interestingly
>> enough broctl capstats did return results for both hosts showing a
>> relatively even workload of about 3Gbps each. Also, I didn't find any
>> logs other than stderr and stdout on the second host in /bro/log or
>> /bro/spool. Any thoughts?
>> Regards,
> Did you check if a there's a firewall running on either host?
> If so, you could try turning it off temporarily to see if that resolves
> the problem.

Gary Faulkner
UW Madison
Office of Campus Information Security

More information about the Bro mailing list