[Bro] Triplicate Entries in CONN Log

Azoff, Justin S jazoff at illinois.edu
Tue Jan 2 11:52:53 PST 2018

> On Jan 2, 2018, at 2:39 PM, Philip Romero <promero at cenic.org> wrote:
> All,
> I did a quick search, but did not see any threads on this type of subject, so forgive me if this has already been discussed. We have a new bro server being stood up that looks to be creating multiple (3) entries for every conn log. Below is a sample of what I'm speaking of. We have 4 monitoring interfaces with varying numbers of CPU cores assigned to the 4 workers they are associated with. The number of entries appears to be related to the number pf_ring workers created because I changed the nodes from 3 lb_procs each to the below node.cfg config this morning and I am now seeing 1 to 5 entries for each log entry.  
> Would this be an indication that there is a problem with our pf_ring setup? How might we confirm what may be causing this?

You're probably not really using pf_ring.  Bro-doctor was written to troubleshoot problems like this..

    bro-pkg install bro-doctor
    broctl doctor.bro

You're either not linked against pf_ring properly, or possible you installed bro and then pf_ring, in which case a (just fixed) bug in broctl will disable pf_ring and you need to add

    pfringclusterid = 11

to your broctl.cfg

You should also look into use the native bro pf_ring plugin, which is a little harder to misconfigure.

Justin Azoff

More information about the Bro mailing list