[Bro] Using workers without SSH possible?

[Robin Sommer]

Actually BroControl is already using rsync over SSH, but it needs SSH
for other stuff as well, as it runs commands on the worker nodes. The
rsync is used for transferring the Bro setup over to the workers. The
logs on the other hand are sent back via Bro's internal communication,
neither SSH nor rsync involved there.

Changing any of this remains tricky currently. However, we are planing
to switch to a different deployment model eventually where each node
maintains its Bro setup itself (so no rsync necessary anymore) and
also keeps a persistent broctld running for inter-node communication
(so no SSH executing commands anymore).

With regards of other approaches to monitor subnets, some folks run a
single-machine Bro cluster with multiple interfaces and then send each
subnet's traffic to one interface. That can work pretty well in
practice, but might not apply to your situation.

Robin

On Thu, Apr 28, 2016 at 15:43 +0200, Sven Dreyer wrote:

> Glenn,
> 
> Am 27.04.2016 um 14:57 schrieb Glenn Forbes Fleming Larratt:
> > Doesn't rsync default to using ssh as its transport? Also, I'm not sure
> > how using rsync vs. ssh improves things in the face of slow and
> > unreliable networking between nodes; can you elaborate?
> 
> I thought of locally collecting bro logs and have a cron job 
> transferring the log file(s) in regular intervals. If the network is 
> down for 5 minutes, no problem, the log files will be transferred the 
> next time the cronjob runs.
> 
> if you use "rsync -e ssh", rsync uses SSH as transport, that's correct. 
> But rsync has a standalone daemon mode and does not need SSH to be used.
> 
> Thanks,
> Sven
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 



-- 
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin