[Bro] intel.log file stops getting generated.
fatema.bannatwala at gmail.com
Wed Jan 25 11:06:16 PST 2017
Thanks Justin for suggesting some tools :-) will try those (Maybe Munin
Here's the output of the cmds:
$ wc -l conn.log
$ cat conn.log|bro-cut id.resp_p |fgrep -cw 23
$ cat conn.log|bro-cut history|sort|uniq -c |sort -rn|head
On Wed, Jan 25, 2017 at 1:42 PM, Azoff, Justin S <jazoff at illinois.edu>
> > On Jan 25, 2017, at 1:28 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> > Yeah, all procs pretty much the same, not sure why there is a
> parent/child pair for each process, thought it would just be 22 processes
> per node, hmm interesting.
> The child process handles the communication to the manager/proxies. These
> will go away once the conversion to broker is done.
> > I think we don't have any system monitoring graphs on the workers
> (Looking into installing some tool to do that, was googling about the same
> > I can setup a cron to do broctl top and send the output to a file.
> Munin is crazy easy to get up and running and does the job, but it's not
> the best monitoring system out there. You can also use things like sar to
> collect data and use something else to graph it.
> > The misc/detect-traceroute script isn't loaded, but misc/scan is loaded
> in local.bro, was just about to configure Aashish's scan-NG script to
> detect other kind of scans as well, but
> > seeing the boxes already swaping, chucked the plan :(
> Ah.. if your network sees a lot of scan traffic, scan.bro could be what is
> killing your cluster.
> If you run these commands, what values do you get?
> wc -l conn.log
> cat conn.log|bro-cut id.resp_p |fgrep -cw 23
> cat conn.log|bro-cut history|sort|uniq -c |sort -rn|head
> - Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro