Tue Dec 16 23:17:26 PST 2014
files, our CPU utilization is generally 99%, and the packet filter seems
to be dropping a high percentage of packets.
We are going to re-design our Bro architecture and are seeking
recommendations for hardware and OS.
We are currently considering running FreeBSD 6.0 instead of RedHat if that
will provide better performance.
We are also considering splitting the collecting and initial log creation
from the subsequent log processing we perform to retain data in our
database. We suspect we will need stronger machines for the initial
collection/log creation than for the subsequent processing, which is
primarily parsing the various log files.
We are looking at Sun Fire X4100 servers with our existing SK-9844 cards
for the "collector" systems. However, it appears that we cannot run
FreeBSD on the X4100 machines due a lack of support for the LSI SAS
(serial attached SCSI) HBA. So, we would instead keep RedHat.
As an alternative, we could use Sun Fire X2100 servers with SK-9E92 cards
for the collectors, running FreeBSD, as long as these would provide
We may run 4 collector machines, each listening to its own tap.
We were also thinking of using the Sun Fire X2100s for the secondary log
I suppose our questions are:
1) Which OS should we use - FreeBSD or RedHat?
2) Can anyone recommend using the Sun Fire X2100s or X4100s?
3) Does anyone have advice regarding the Syskonnect SK-9844 or SK-9E92 cards?
4) Is it reasonable to assume that the most intensive part of this process
is the initial collection and analysis by Bro which results in the various
Bro log files?
5) Are there other hardware or OS recommendations?
I'm sure I omitting something, but this is a good start.
Thanks in advance for your advice!
University of CA, Davis
Data Center & Client Services
jruggieri at ucdavis.edu
More information about the Bro