[Bro] Manager swapping..

fatema bannatwala fatema.bannatwala at gmail.com
Thu Mar 23 06:40:07 PDT 2017

Thanks Justin for the input :)

I restarted Bro after disabling some of the protocols logging (like rdp,
syslog, snmp etc) yesterday afternoon,
as the machine is in production and needed to be fixed kind of "ASAP".
Hence couldn't get a chance to run
the broctl top while having the issue, I know you have mentioned it couple
of times in past to use "broctl top"
instead of normal "top", but magically I keep forgetting to do that, I
think I should come up with by BRO troubleshoot
guide, which should list some basic troubleshooting commands that you guys
suggest in these emails :)

Anyways, I did run the command today, and it looks like the manager process
is overwhelmed,
hmm I thought that it might logger that might be having issues catching up
on the load, but I was wrong:

$ sudo -u bro /usr/local/bro/2.5/bin/broctl top manager logger
Name         Type    Host   Pid     Proc    VSize  Rss  Cpu   Cmd
logger       logger   IDS   60928    parent    2G    90M  17%  bro
logger       logger   IDS   60932    child   522M   246M   5%  bro
manager      manager  IDS   60990    child     1G   257M  35%  bro

*manager      manager  IDS   60973    parent  222G    31G  23%  bro*
It makes me think, if there is some memory leak issue with manager.



On Wed, Mar 22, 2017 at 7:51 PM, Azoff, Justin S <jazoff at illinois.edu>

> > On Mar 22, 2017, at 7:41 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
> > Hopefully multiple logger nodes can be supported officially at some
> point.
> And right after I send this I see that Daniel has a branch of broctl with
> the initial changes needed to make this work.
> --
> - Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170323/4c826053/attachment.html 

More information about the Bro mailing list