[Bro] Cluster minimal logs on manager
Jamie Saker
cosmotraumatika at gmail.com
Tue Mar 22 12:02:34 PDT 2016
Justin -
That was it! Sigh… a little over-eager UFW implementation. I added the range and that did the trick. Now to lock it down to only sensor IPs… :) Thank you so much.
Cheers -
Jamie
> On Mar 22, 2016, at 1:44 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
>
> Can your workers connect to your manager on tcp port 47761-47763 or so?
>
> You probably want an iptables rule similar to
>
> iptables -A INPUT -s your.subnet.here/24 -p tcp -m multiport --dports 47000:48000 -m comment --comment "200 accept bro cluster connections" -j ACCEPT
>
> on the different machines so everything can communicate properly.
>
> --
> - Justin Azoff
>
>> On Mar 22, 2016, at 2:14 PM, Jamie Saker <cosmotraumatika at gmail.com> wrote:
>>
>> After upgrading/reinstalling the OS on my Bro manager, with a network of a dozen workers, I’ve managed to end up where I’m only seeing minimal logs at the manager (the manager is also the sole proxy):
>>
>> communication.log
>> loaded_scripts.logreporter.log
>> stderr.log
>> stdout.log
>>
>> When I run Bro standalone on one of the sensors, all is well again. I’ve exchanged the keys so that Bro can manage the workers just fine but apparently the logging isn’t being communicated correctly. Any recommendations other than rebuilding sensors from the OS up? I also know the sensors are seeing good traffic - Snort runs just fine on a tested sensor along with tcpdump, etc.
>>
>> Thanks -
>>
>> Jamie
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list