[Bro] Multiple masters to ease the workload

Close, Jason M. close at ou.edu
Tue Jun 2 07:29:39 PDT 2015

Our current configuration is showing a lot of heavy use by the master node.  We currently run around 6 worker nodes that feed data to the master, and while the master is keeping up in terms of CPU, it is consistently teetering on using all available RAM we can throw at it (128GB at the moment).  There are plans in place to increase our available bandwidth 10-fold, so the traffic coming to Bro will ramp up as well.

We could piece apart the subnets and create multiple Bro clusters.  But it would be nice to have a single cluster, and be able to continue to throw more workers and managers at it.  But I have not seen any documentation about configurations using multiple managers.  If that does exist, can someone point me in the right direction?

And if that doesn’t exist, can I get some suggestions about mitigations to this problem?  I know there are a lot of cool things being done with Bro, especially using scripts and APIs where Bro can help reduce traffic being thrown to it.  But due to the taps we have in place, and the manpower availability, right now, spinning up a little more hardware would be a much easier and more economical investment of our time.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150602/f466883d/attachment.html 

More information about the Bro mailing list