[Bro-Dev] Broker has landed in master, please test
Jon Siwek
jsiwek at corelight.com
Wed May 23 15:29:09 PDT 2018
On 5/23/18 3:12 PM, Michael Dopheide wrote:
> For here though, can you elaborate on the going down to one proxy? My
> understanding still isn't strong, but that seems to be opposed to the
> idea of using Cluster::publish_hrw to spread memory across proxies.
The idea is to try starting with a single proxy and then scale your
deployment based on what you actually need, and there may not be that
great of a need at the moment as the default scripts that ship with Bro
do not widely use the HRW/pool/partitioning APIs yet.
By default, it's currently just the Software framework that will use
Cluster::publish_hrw. I also plan to soon change the Intel framework to
make use of Cluster::relay_rr.
There's also an option in the various Known::* scripts for users to
opt-in to an alternate implementation that uses HRW + tables instead of
the default approach of data stores.
Different sites could also have different requirements/usage of those
default scripts and it's all too new to give better suggestions other
than "try one proxy, add more as needed".
- Jon
More information about the bro-dev
mailing list