[Bro] Standalone vs cluster

Seth Hall seth at icir.org
Mon Aug 24 06:56:59 PDT 2015 

> On Aug 24, 2015, at 8:48 AM, Clark Gaylord <cgaylord at vt.edu> wrote:
> 
> If using a single box to run bro, is there any advantage to running cluster mode (all localhost) rather than standalone?

Simple answer here, you almost never want to run standalone.

> The previous answer was: no reason to do so, with additional clarification that a) if you're thinking of eventually migrating to cluster mode, getting the configuration correct will be the least of your trouble and b) unless you want to take advantage of multiple cores.
> 
> The latter point is why I am posing the question again: on a 12-core box, for example, how does one (and should one) take advantage of these cores. The last I have seen is a) bro is single threaded and b) the rule of thumb is 80Mbps/core. If this is so, then am I at risk of dropping data on the floor if I don't specifically have more workers?

That rule of thumb was actually created for this box: 
	http://www.amazon.com/Dell-Computer-Professional-Extremely-Operation/dp/B002Q6ZTZM

I don’t recommend using those anymore (or ever), but the first production Bro cluster was running on a big stack of those because I got them for free. :)   That documentation needs to be updated at some point, but generally these days with modern hardware people will see ~200-250Mbps per core although it’s possible to make it run faster.

> To accommodate this traffic load, should six workers be defined all on localhost? Or does a single localhost worker (the default in standalone, right?) already utilize the cores to achieve the desired performance?

Did you read the load balancing documentation?
	https://www.bro.org/documentation/load-balancing.html

It’s a bit out of date, and unfortunately only includes directions for load balancing with pf_ring, but it should give you a first direction.  I’ll see if I can update that with a second mechanism soon too.  We’re working on adding another mechanism to the on-host load balancing options as well which we think should be really flexible and nice.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

More information about the Bro mailing list