[Bro] Standalone vs cluster

Mike Reeves luke at geekempire.com
Mon Aug 24 06:34:58 PDT 2015 

I run all of my single boxes as clusters. This is how you get it to scale
locally. That way you can take full advantage of all the cores on the box.
The amount of workers really depends on the traffic and types of traffic.
start with 6 and see how it does.

Thanks

Mike

On Mon, Aug 24, 2015 at 8:48 AM, Clark Gaylord <cgaylord at vt.edu> wrote:

> This appears to have been discussed in 2009, so I thought I might re-ask
> to see if anything has changed, and to add a follow on
> question/clarification. I don't see any further discussion from searching
> the archives.
>
> If using a single box to run bro, is there any advantage to running
> cluster mode (all localhost) rather than standalone?
>
> The previous answer was: no reason to do so, with additional clarification
> that a) if you're thinking of eventually migrating to cluster mode, getting
> the configuration correct will be the least of your trouble and b) unless
> you want to take advantage of multiple cores.
>
> The latter point is why I am posing the question again: on a 12-core box,
> for example, how does one (and should one) take advantage of these cores.
> The last I have seen is a) bro is single threaded and b) the rule of thumb
> is 80Mbps/core. If this is so, then am I at risk of dropping data on the
> floor if I don't specifically have more workers?
>
> Say I can expect to see 500 Mbps peak, with occasional sustained load of
> say 300 Mbps.
>
> To accommodate this traffic load, should six workers be defined all on
> localhost? Or does a single localhost worker (the default in standalone,
> right?) already utilize the cores to achieve the desired performance?
>
> Thanks for your suggestions
> Clark
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150824/67436279/attachment-0001.html

More information about the Bro mailing list