[Bro] Cluster Best Practices
seth at icir.org
Tue Sep 23 05:50:21 PDT 2014
On Sep 22, 2014, at 6:04 PM, Dave Crawford <bro at pingtrip.com> wrote:
> I’m looking for feedback (or pointers to existing write-ups) on “best practices” for Bro cluster deployments. I’m planning to deploy workers to multiple geographic datacenters and I looking to weigh the pros/cons of two scenarios:
> 1) Global Manager for all workers
> - Should there also be a global proxy or are there benefits to having one in each datacenter?
Right now you can only have a single manager and your proxies can't currently be connected with specific workers so it's likely that if you setup one large cluster across multiple data centers that you would end up with workers connecting to proxies in the other data center.
> 2) Local Manager (per datacenter) for workers in that specific datacenter
> - Proxy would be local as well
I think my previous answer answered this as well. :)
> A global manager would obviously be easier to manage/maintain but my concerns are:
> - Amount of “long-haul” traffic being generated to push log events to the manager
> - If the manager crashes are the workers queuing events until they re-connect to the manager?
Right now, workers don't queue events like this. Events are delivered immediately to everyone subscribed to them (so if a host is crashed and not connected, it's obviously not subscribed at that moment).
> In a scenario of separate managers per datacenter:
> - Can proxies still “sync” with each other? (e.g. push intel to workers watching similar traffic in each datacenter)
Intel data is not synchronized though the proxies. I chose to do manual synchronization through events for the intel framework.
Your questions bring up a larger goal we have of creating hierarchical clusters. This is something where I think the current broctl overhaul is the first step toward that, but there is a lot more work to do. Ultimately what I'd like to see is that no matter how large your cluster is or how geographically dispersed, you can run your entire infrastructure as one Bro cluster. Unfortunately we aren't there yet and it's going to be a while before we are.
For now, I would setup separate clusters in each data center.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro