[Bro] Standalone vs cluster

Clark Gaylord cgaylord at vt.edu
Mon Aug 24 05:48:56 PDT 2015

This appears to have been discussed in 2009, so I thought I might re-ask to
see if anything has changed, and to add a follow on question/clarification.
I don't see any further discussion from searching the archives.

If using a single box to run bro, is there any advantage to running cluster
mode (all localhost) rather than standalone?

The previous answer was: no reason to do so, with additional clarification
that a) if you're thinking of eventually migrating to cluster mode, getting
the configuration correct will be the least of your trouble and b) unless
you want to take advantage of multiple cores.

The latter point is why I am posing the question again: on a 12-core box,
for example, how does one (and should one) take advantage of these cores.
The last I have seen is a) bro is single threaded and b) the rule of thumb
is 80Mbps/core. If this is so, then am I at risk of dropping data on the
floor if I don't specifically have more workers?

Say I can expect to see 500 Mbps peak, with occasional sustained load of
say 300 Mbps.

To accommodate this traffic load, should six workers be defined all on
localhost? Or does a single localhost worker (the default in standalone,
right?) already utilize the cores to achieve the desired performance?

Thanks for your suggestions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150824/ec1453e0/attachment.html 

More information about the Bro mailing list