[Bro] Bro performance & sizing question
Melissa Muth
muthm at upenn.edu
Fri Nov 13 11:50:20 PST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We have a Bro cluster currently attempting to process up to 13Gbps
(1.4Mpps) partitioned over two 10Gbps Gigamon network taps.
Capture loss currently averages 44% - but before buying more hardware,
we'd like to sanity-check our plans with folks who have already
successfully sized their own installations.
Currently there are two Bro hosts in the cluster, each with 20 CPU
cores (3.1Ghz), 128GB memory, and Myricom cards with the Sniffer V3
driver. Each host runs a proxy, and 17 workers pinned to CPUs. The
manager is running on one of the worker hosts, and logs are being
written to SSD drives. We're using restrict_filters to ignore (large)
flows generated by four hosts.
The current plan is to buy 2 more worker hosts (same specs), as well
as a NAS for storing logs after each hourly rotation.
If we're capturing 56% of 13Gbps, that's 7454Mbps. Given the 34 cores
used by bro, that works out to 219Mbps/core and about 3.6Gbps/host.
Does that seem like expected performance, or might there be something
broken somewhere? Does it seem reasonable to buy two more worker hosts
(at least to handle current needs)?
Any thoughts or recommendations would be much appreciated.
Cheers,
Melissa
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iEYEARECAAYFAlZGPvwACgkQjGIGZe3KNcl6GgCgijm+F4zbDC0rnuP8VMRa2YSi
Tz8AoIPAvHBeF/R1e/C+HEIkSv2XO//L
=p+4P
-----END PGP SIGNATURE-----
More information about the Bro
mailing list