[Bro] Possible Bro Cluster communication issue?

Gary Faulkner gary at doit.wisc.edu
Fri Nov 15 00:05:40 PST 2013

Actually, it was the firewall, but I also had a secondary problem in 
that the proxy was constantly crashing due a lack of system resources so 
it didn't initially appear that disabling the firewall relieved the 
communication problem. I didn't recall seeing any FW considerations 
beyond ssh in the documentation, but I did eventually find an external 
document at https://gist.github.com/grigorescu/3776670 and a quick 
netstat allowed me to confirm the ports on my hosts. Thanks for the help!

On 11/14/2013 11:20 PM, Gary Faulkner wrote:
> Both hosts are running host based FWs, but disabling them doesn't appear
> to make a difference in the behavior. I can ssh between hosts just fine
> as the bro user with key-based auth and broctl seems to open an ssh
> session per worker between the two hosts that appear stay established
> throughout just fine. Does all the communication happen over those ssh
> sessions or are there other types of connections happening between
> master/proxy and worker?
> On 11/14/2013 10:36 PM, Daniel Thayer wrote:
>> On 11/14/2013 10:26 PM, Gary Faulkner wrote:
>>> Hello,
>>> Another Bro newbie here. Having an odd issue getting my bro 2.2
>>> (release) cluster working properly. I have 2 physical hosts. The first
>>> host is running the manager, proxy, and some workers, and the second
>>> host is running several workers. After running broctl install and broctl
>>> start the workers spin up on both hosts, however, the workers on host 2
>>> don't seem to be reliably reporting back to the master or connecting to
>>> the proxy.
>>> I confirmed that the processes were running on both hosts and that ssh
>>> sessions were established between the two hosts, but a broctl status
>>> only showed peers for workers on the same host as the manager, fewer
>>> peers than expected for the proxy (about as many as were on host1), and
>>> broctl netstat didn't return any results for the workers on the second
>>> host.
>>> At some point the proxy crashed on my first run, and upon restarting
>>> everything I had the same results minus the proxy crash. Interestingly
>>> enough broctl capstats did return results for both hosts showing a
>>> relatively even workload of about 3Gbps each. Also, I didn't find any
>>> logs other than stderr and stdout on the second host in /bro/log or
>>> /bro/spool. Any thoughts?
>>> Regards,
>> Did you check if a there's a firewall running on either host?
>> If so, you could try turning it off temporarily to see if that resolves
>> the problem.

Gary Faulkner
UW Madison
Office of Campus Information Security

More information about the Bro mailing list