[Bro] Triplicate Entries in CONN Log
Azoff, Justin S
jazoff at illinois.edu
Tue Jan 2 11:52:53 PST 2018
> On Jan 2, 2018, at 2:39 PM, Philip Romero <promero at cenic.org> wrote:
> I did a quick search, but did not see any threads on this type of subject, so forgive me if this has already been discussed. We have a new bro server being stood up that looks to be creating multiple (3) entries for every conn log. Below is a sample of what I'm speaking of. We have 4 monitoring interfaces with varying numbers of CPU cores assigned to the 4 workers they are associated with. The number of entries appears to be related to the number pf_ring workers created because I changed the nodes from 3 lb_procs each to the below node.cfg config this morning and I am now seeing 1 to 5 entries for each log entry.
> Would this be an indication that there is a problem with our pf_ring setup? How might we confirm what may be causing this?
You're probably not really using pf_ring. Bro-doctor was written to troubleshoot problems like this..
bro-pkg install bro-doctor
You're either not linked against pf_ring properly, or possible you installed bro and then pf_ring, in which case a (just fixed) bug in broctl will disable pf_ring and you need to add
pfringclusterid = 11
to your broctl.cfg
You should also look into use the native bro pf_ring plugin, which is a little harder to misconfigure.
More information about the Bro