[Bro] intel.log file stops getting generated.

fatema bannatwala fatema.bannatwala at gmail.com
Wed Jan 25 11:06:16 PST 2017


Thanks Justin for suggesting some tools :-) will try those (Maybe Munin
first)

Here's the output of the cmds:

$ wc -l conn.log
12913751 conn.log

$ cat conn.log|bro-cut id.resp_p |fgrep -cw 23
3

$ cat conn.log|bro-cut history|sort|uniq  -c |sort -rn|head
4230547 S
2938925 Dd
1059285 ShADadFf
 968902 ShADadfF
 915401 D
 212507 ShAFf
 177731 SAF
 177359 ShADadFfR
 159024 ShADadfFr
 140911 ShADdaFf



On Wed, Jan 25, 2017 at 1:42 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

> > On Jan 25, 2017, at 1:28 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > Yeah, all procs pretty much the same, not sure why there is a
> parent/child pair for each process, thought it would just be 22 processes
> per node, hmm interesting.
>
> The child process handles the communication to the manager/proxies.  These
> will go away once the conversion to broker is done.
>
> > I think we don't have any system monitoring graphs on the workers
> (Looking into installing some tool to do that, was googling about the same
> :)).
> > I can setup a cron to do broctl top and send the output to a file.
>
> Munin is crazy easy to get up and running and does the job, but it's not
> the best monitoring system out there.  You can also use things like sar to
> collect data and use something else to graph it.
>
> > The misc/detect-traceroute script isn't loaded, but misc/scan is loaded
> in local.bro, was just about to configure Aashish's scan-NG script to
> detect other kind of scans as well, but
> > seeing the boxes already swaping, chucked the plan :(
>
> Ah.. if your network sees a lot of scan traffic, scan.bro could be what is
> killing your cluster.
>
> If you run these commands, what values do you get?
>
>     wc -l conn.log
>     cat conn.log|bro-cut id.resp_p |fgrep -cw 23
>     cat conn.log|bro-cut history|sort|uniq  -c |sort -rn|head
>
> --
> - Justin Azoff
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170125/97e32f24/attachment-0001.html 


More information about the Bro mailing list