[Bro] Cluster Best Practices

Dave Crawford bro at pingtrip.com
Mon Sep 22 15:04:23 PDT 2014

I’m looking for feedback (or pointers to existing write-ups) on “best practices” for Bro cluster deployments. I’m planning to deploy workers to multiple geographic datacenters and I looking to weigh the pros/cons of two scenarios: 

1) Global Manager for all workers
    - Should there also be a global proxy or are there benefits to having one in each datacenter?

2)  Local Manager (per datacenter) for workers in that specific datacenter
    - Proxy would be local as well
A global manager would obviously be easier to manage/maintain but my concerns are:
 - Amount of “long-haul” traffic being generated to push log events to the manager
 - If the manager crashes are the workers queuing events until they re-connect to the manager?
In a scenario of separate managers per datacenter:
-        Can proxies still “sync” with each other? (e.g. push intel to workers watching similar traffic in each datacenter)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140922/2971a110/attachment.html 

More information about the Bro mailing list