[Bro] Using workers without SSH possible?
sven at dreyer-net.de
Fri May 6 00:44:06 PDT 2016
Thanks for the detailed information, Robin. We are unable to send the
traffic of each subnet to a central bro instace because the
interconnection speed is about 500 kBit/s, while the subnets have 100
MBit/s or Gigabit Ethernet.
I am aware that rsync over SSH is already used. I was just searching for
a "non-persistent" connection between the workers and the central
manager/proxy because of frequent outages of the interconnection lines.
Am 28.04.2016 um 17:13 schrieb Robin Sommer:
> Actually BroControl is already using rsync over SSH, but it needs SSH
> for other stuff as well, as it runs commands on the worker nodes. The
> rsync is used for transferring the Bro setup over to the workers. The
> logs on the other hand are sent back via Bro's internal communication,
> neither SSH nor rsync involved there.
> Changing any of this remains tricky currently. However, we are planing
> to switch to a different deployment model eventually where each node
> maintains its Bro setup itself (so no rsync necessary anymore) and
> also keeps a persistent broctld running for inter-node communication
> (so no SSH executing commands anymore).
> With regards of other approaches to monitor subnets, some folks run a
> single-machine Bro cluster with multiple interfaces and then send each
> subnet's traffic to one interface. That can work pretty well in
> practice, but might not apply to your situation.
> On Thu, Apr 28, 2016 at 15:43 +0200, Sven Dreyer wrote:
>> Am 27.04.2016 um 14:57 schrieb Glenn Forbes Fleming Larratt:
>>> Doesn't rsync default to using ssh as its transport? Also, I'm not sure
>>> how using rsync vs. ssh improves things in the face of slow and
>>> unreliable networking between nodes; can you elaborate?
>> I thought of locally collecting bro logs and have a cron job
>> transferring the log file(s) in regular intervals. If the network is
>> down for 5 minutes, no problem, the log files will be transferred the
>> next time the cronjob runs.
>> if you use "rsync -e ssh", rsync uses SSH as transport, that's correct.
>> But rsync has a standalone daemon mode and does not need SSH to be used.
>> Bro mailing list
>> bro at bro-ids.org
More information about the Bro