[Bro] Running a Bro cluster diskless?
Schoenefeld, Keith P.
Keith_Schoenefeld at baylor.edu
Mon Apr 11 12:59:59 PDT 2011
Background:
With some guidance from Seth, Baylor is jumping into Bro in a 'timidly aggressive' (should I trademark that?) fashion. We are currently working to build a Bro cluster that can analyze up to 2Gb/s of traffic. We'll have about 900Mb/s of capacity once the upgrades to our exit are complete, with our real aggregate traffic measuring significantly below the 1.8Gb/s maximum.
We have purchased six systems and a switch: one front end system to run Click!, four worker systems, and a manager system. A private network will be used between the frontend system and the workers and another will be used between the workers and the management system.
I have a history with running diskless HPC systems leveraging JessWulf [1], and hope/plan to do the same with our Bro configuration. Simply put, JessWulf is an RPM based toolkit/guide for running RPM based Linux distributions in a master/node cluster environment, where all nodes are diskless.
I hope to use the 'manager' server as the master and the worker server as the nodes in a JessWulf cluster to ease configuration and management. I will certainly have some small local ramdisk as well as local hard drives for non-persistent scratch space as needed.
Now, for the question(s):
Does anyone have experience running Bro diskless like this already? What are the common problems unique to this configuration, where will I likely want to leverage the local scratch space, and is this absolutely the wrong way to run a Bro cluster?
Thanks for any help,
-- KS
[1] - https://wiki.uis.georgetown.edu/display/CCF/JessWulf+-+A+Diskless+Beowulf+Cluster+Toolkit
Keith Schoenefeld
Information Security Analyst
Baylor University
More information about the Bro
mailing list