[Bro] Manager swapping..
Azoff, Justin S
jazoff at illinois.edu
Thu Mar 23 07:43:39 PDT 2017
> On Mar 23, 2017, at 7:40 AM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
> Thanks Justin for the input :)
> I restarted Bro after disabling some of the protocols logging (like rdp, syslog, snmp etc) yesterday afternoon,
> as the machine is in production and needed to be fixed kind of "ASAP". Hence couldn't get a chance to run
> the broctl top while having the issue, I know you have mentioned it couple of times in past to use "broctl top"
> instead of normal "top", but magically I keep forgetting to do that, I think I should come up with by BRO troubleshoot
> guide, which should list some basic troubleshooting commands that you guys suggest in these emails :)
> Anyways, I did run the command today, and it looks like the manager process is overwhelmed,
> hmm I thought that it might logger that might be having issues catching up on the load, but I was wrong:
> $ sudo -u bro /usr/local/bro/2.5/bin/broctl top manager logger
> Name Type Host Pid Proc VSize Rss Cpu Cmd
> logger logger IDS 60928 parent 2G 90M 17% bro
> logger logger IDS 60932 child 522M 246M 5% bro
> manager manager IDS 60990 child 1G 257M 35% bro
> manager manager IDS 60973 parent 222G 31G 23% bro
> It makes me think, if there is some memory leak issue with manager.
Are you loading misc/detect-traceroute or misc/scan in your local.bro?
- Justin Azoff
More information about the Bro