[Bro] Just installed bro cluster

[William L. Jones]

The worker node is on an amd system with 4 cores running linux, it is just a starter system made from spare part and will be expanded at some future date to a full bro cluster with maniple work machines.  It has two dual port 10 GigE interfaces.

Here are few thing that I think need a little work in the bro cluster setup.


* The interface definition needs to allow multiple interfaces to be specified. In my the output of a tap is  feed in a dual port 10 GigE card so I have to have bro read from two network interfaces. Right now you can work around the problem by just adding -I <second interface> on the node interface configuration line but I think it deserves a more formal solution.

* One of my 10 GigE circuits has 3 vlans on it which show up as 6 interfaces.  With the non cluster version of bro I just ran with 3 different configuration files and kept logs and reports in three separate directories. One important side affect was that it allowed 3 separate instances of bro so that the system could spread the load across multiple cpus instead of one. With bro cluster I could not run 3 bro works on one machine due to the way the works and server talk to each other.  I think it would be an important enhancements to bro cluster to allow multiple bro work instances on the same machine.


Bill Jones