[Bro] [EXTERNAL] Re: Bro-2.5.2 and PF_RING 6.7 not load balancing properly
jlamps at sandia.gov
Tue Feb 6 07:55:24 PST 2018
Your solution seems to have fixed it.
On 1/31/18, 11:27 AM, "Azoff, Justin S" <jazoff at illinois.edu> wrote:
> On Jan 30, 2018, at 3:07 PM, Lamps, Jereme <jlamps at sandia.gov> wrote:
> It appears PF_RING is not properly load balancing between Bro instances. For example, I have a single Bro node with 5 bro procs. Every entry in http.log is duplicated 5 times (exact timestamp and all fields are identical except the UID). My conclusion is pf_ring is not splitting the traffic and that all procs are seeing all the traffic.
You may be running into an issue that was recently fixed in broctl and will be resolved in the next release. Depending on the order you install things in, pf_ring load balancing can end up disabled.
What does the following output for your host?
[root at bro-dev ~]# broctl config | grep pfring
pfringclusterid = 21
pfringclustertype = 4-tuple
ringfirstappinstance = 0
if you have pfringclusterid set to 0, that's the problem that was just fixed. You can easily workaround that by adding
PFRINGClusterID = 21
to your /usr/local/bro/etc/broctl.cfg
Once that is there, a broctl deploy should get everything working.
More information about the Bro