[Bro] [EXTERNAL] Re: Bro-2.5.2 and PF_RING 6.7 not load balancing properly

Lamps, Jereme jlamps at sandia.gov
Tue Feb 6 07:55:24 PST 2018


Your solution seems to have fixed it. 



On 1/31/18, 11:27 AM, "Azoff, Justin S" <jazoff at illinois.edu> wrote:

    > On Jan 30, 2018, at 3:07 PM, Lamps, Jereme <jlamps at sandia.gov> wrote:
    > It appears PF_RING is not properly load balancing between Bro instances. For example, I have a single Bro node with 5 bro procs. Every entry in http.log is duplicated 5 times (exact timestamp and all fields are identical except the UID). My conclusion is pf_ring is not splitting the traffic and that all procs are seeing all the traffic. 
    You may be running into an issue that was recently fixed in broctl and will be resolved in the next release.  Depending on the order you install things in, pf_ring load balancing can end up disabled.
    What does the following output for your host?
        [root at bro-dev ~]# broctl config | grep pfring
        pfringclusterid = 21
        pfringclustertype = 4-tuple
        ringfirstappinstance = 0
    if you have pfringclusterid set to 0, that's the problem that was just fixed.  You can easily workaround that by adding
    PFRINGClusterID = 21
    to your /usr/local/bro/etc/broctl.cfg
    Once that is there, a broctl deploy should get everything working.
    Justin Azoff

More information about the Bro mailing list