[Bro] Packet loss during log rotation
seth at icir.org
Tue Sep 23 11:51:58 PDT 2014
On Sep 23, 2014, at 2:46 PM, Damian Gerow <damian.gerow at shopify.com> wrote:
> Standalone, as I slowly work towards cluster mode.
Switching to cluster mode with a single worker process is easy. Just use the cluster config example and only configure a single worker. Things should work basically the same as before.
> Is there a single thread handling both reading packets and disk I/O? Even at 5Mbps, I would have expected a single thread to be able to keep up with everything, unless it's waiting for compression.
Sort of. The actual file I/O is threaded, but I think that the way the external script is called that performs the rotation might accidentally block in some cases. Probably an area we should look into more closely some time.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro