[Bro] Bro cluster synchronization
raj at bivio.net
Fri Mar 25 06:50:57 PDT 2016
We are running around 20 to 30 Bro worker threads and 2 to 3 proxies, and having problems with performance. From what we can see, the bottleneck seems to be proxy communication. Cpus don't seem to be too busy, but spend time waiting for IO.
I would like to understand what types of data the proxy is synchronizing in addition to active IP addresses. If we use load balancing based on IP addresses only, so all sessions between two IP addresses are processed by the same worker, will we be missing any functionality by running Bro in standalone mode on each of our processors/cores? If we do this, I believe that related sessions should (almost always) be processed by the same worker, except in a few cases which I hope we can do without!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro