[Bro-Dev] Broker port status
Jon Siwek
jsiwek at corelight.com
Thu Mar 8 15:46:00 PST 2018
On Thu, Mar 8, 2018 at 5:07 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
> One thing I notice is that the traffic to/from the manager box and cpu has increased quite a bit.
>
> Ignoring the large CPU spikes from building the new branch just before the switch at 15:30, the overall cpu load on the manager box is about 3x higher.
> The bandwidth isn't terribly excessive, but it increased from about 16mbit to 40mbit (stupid graph is in mebibytes).
>
> Based on some capstats runs, it's all going to the logger port 47761. I have another graph that shows the total log volume being written to disk and that hasn't changed.
> So it looks like this branch uses 2x the cpu and bandwidth to write the same volume of logs.
Interesting, I would have thought maybe the manager could be utilized
more, though not the logger. Will have to think about that.
An interesting experiment you could try is switching to an alternate
implementation of the Known scripts. E.g. stick this in local.bro:
redef Known::use_host_store = F;
redef Known::use_cert_store = F;
redef Known::use_device_store = F;
redef Known::use_service_store = F;
I'd expect that could reduce bandwidth a bit.
Using data stores the Known scripts do:
worker -> manager: put this key into your store if it doesn't exist
manager -> worker: the key was accepted (or rejected)
worker -> logger: log the key (sent only if manager accepted key as unique)
Else the alternate version of Known scripts do:
worker -> proxy: here's a key
proxy -> logger: log the key (if proxy hasn't seen it recently)
Maybe cuts out 1/3 the message volume contributed by Known scripts that way.
- Jon
More information about the bro-dev
mailing list