[Bro] Standalone vs cluster

Mike Patterson mike.patterson at uwaterloo.ca
Mon Aug 24 06:29:21 PDT 2015 

You're going to want to run it as a cluster, even if it's all on one box.
80Mbps/core seems low nowadays, although it depends on your CPUs. We're easily handling loads[0] in the 3-4Gbps range on 16 workers, 4 proxies, and a manager (all on the same 20 core box). My CPUs are  E5-2687W v3 @ 3.10GHz. Pin your processes and you should be ok. But yes, if the load is too much, then you'll drop traffic. Enable the capture loss script and graph its output to get an idea.

[0] asterisk: two workers drop more traffic than the other 14 due to CPUs at 100%, load follows the workers, gave up trying to figure that one out for now, those drop 5-10% - I'm assuming it's some prolonged traffic and/or some weird hashing on my network card, an Endace DAG 9.2X2.

Mike

-- 
My grandfather on why he has no computer in his house: "it's just a
passing fad." I'm feeling less and less of an urge to beg to differ
with him.  - Omri Schwarz

> On Aug 24, 2015, at 8:48 AM, Clark Gaylord <cgaylord at vt.edu> wrote:
> 
> This appears to have been discussed in 2009, so I thought I might re-ask to see if anything has changed, and to add a follow on question/clarification. I don't see any further discussion from searching the archives.
> 
> If using a single box to run bro, is there any advantage to running cluster mode (all localhost) rather than standalone?
> 
> The previous answer was: no reason to do so, with additional clarification that a) if you're thinking of eventually migrating to cluster mode, getting the configuration correct will be the least of your trouble and b) unless you want to take advantage of multiple cores.
> 
> The latter point is why I am posing the question again: on a 12-core box, for example, how does one (and should one) take advantage of these cores. The last I have seen is a) bro is single threaded and b) the rule of thumb is 80Mbps/core. If this is so, then am I at risk of dropping data on the floor if I don't specifically have more workers?
> 
> Say I can expect to see 500 Mbps peak, with occasional sustained load of say 300 Mbps.
> 
> To accommodate this traffic load, should six workers be defined all on localhost? Or does a single localhost worker (the default in standalone, right?) already utilize the cores to achieve the desired performance?
> 
> Thanks for your suggestions
> Clark
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list