[Bro] Cluster Best Practices
bro at pingtrip.com
Mon Sep 22 15:04:23 PDT 2014
I’m looking for feedback (or pointers to existing write-ups) on “best practices” for Bro cluster deployments. I’m planning to deploy workers to multiple geographic datacenters and I looking to weigh the pros/cons of two scenarios:
1) Global Manager for all workers
- Should there also be a global proxy or are there benefits to having one in each datacenter?
2) Local Manager (per datacenter) for workers in that specific datacenter
- Proxy would be local as well
A global manager would obviously be easier to manage/maintain but my concerns are:
- Amount of “long-haul” traffic being generated to push log events to the manager
- If the manager crashes are the workers queuing events until they re-connect to the manager?
In a scenario of separate managers per datacenter:
- Can proxies still “sync” with each other? (e.g. push intel to workers watching similar traffic in each datacenter)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro