[Bro] Manager swapping..
fatema.bannatwala at gmail.com
Thu Mar 23 07:56:25 PDT 2017
Nope, based on our previous discussion in another thread,
I disabled the misc/scan, and loaded scan-NG-master script.
I always thought that the scripts would have more load on workers than
When I was seeing memory issues on workers, I stopped using misc/scan and
the scan-NG script.
Didn't know that it would impact manager performance as well, hmm.
On Thu, Mar 23, 2017 at 10:43 AM, Azoff, Justin S <jazoff at illinois.edu>
> > On Mar 23, 2017, at 7:40 AM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> > Thanks Justin for the input :)
> > I restarted Bro after disabling some of the protocols logging (like rdp,
> syslog, snmp etc) yesterday afternoon,
> > as the machine is in production and needed to be fixed kind of "ASAP".
> Hence couldn't get a chance to run
> > the broctl top while having the issue, I know you have mentioned it
> couple of times in past to use "broctl top"
> > instead of normal "top", but magically I keep forgetting to do that, I
> think I should come up with by BRO troubleshoot
> > guide, which should list some basic troubleshooting commands that you
> guys suggest in these emails :)
> > Anyways, I did run the command today, and it looks like the manager
> process is overwhelmed,
> > hmm I thought that it might logger that might be having issues catching
> up on the load, but I was wrong:
> > $ sudo -u bro /usr/local/bro/2.5/bin/broctl top manager logger
> > Name Type Host Pid Proc VSize Rss Cpu Cmd
> > logger logger IDS 60928 parent 2G 90M 17% bro
> > logger logger IDS 60932 child 522M 246M 5% bro
> > manager manager IDS 60990 child 1G 257M 35% bro
> > manager manager IDS 60973 parent 222G 31G 23% bro
> > It makes me think, if there is some memory leak issue with manager.
> Are you loading misc/detect-traceroute or misc/scan in your local.bro?
> - Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro