[Bro] Using workers without SSH possible?
Landy Bible
landy-bible at utulsa.edu
Sat May 14 20:19:46 PDT 2016
I would just run independent bro servers at each location and aggregate the
logs to a central location out of band with a periodic rsync or perhaps a
shipper like logstash. Assuming the clocks are in sync with ntp it'd be
easy enough to correlate logs.
On May 6, 2016 2:51 AM, "Sven Dreyer" <sven at dreyer-net.de> wrote:
> Thanks for the detailed information, Robin. We are unable to send the
> traffic of each subnet to a central bro instace because the
> interconnection speed is about 500 kBit/s, while the subnets have 100
> MBit/s or Gigabit Ethernet.
>
> I am aware that rsync over SSH is already used. I was just searching for
> a "non-persistent" connection between the workers and the central
> manager/proxy because of frequent outages of the interconnection lines.
>
> Thanks!
> Sven
>
>
> Am 28.04.2016 um 17:13 schrieb Robin Sommer:
> > Actually BroControl is already using rsync over SSH, but it needs SSH
> > for other stuff as well, as it runs commands on the worker nodes. The
> > rsync is used for transferring the Bro setup over to the workers. The
> > logs on the other hand are sent back via Bro's internal communication,
> > neither SSH nor rsync involved there.
> >
> > Changing any of this remains tricky currently. However, we are planing
> > to switch to a different deployment model eventually where each node
> > maintains its Bro setup itself (so no rsync necessary anymore) and
> > also keeps a persistent broctld running for inter-node communication
> > (so no SSH executing commands anymore).
> >
> > With regards of other approaches to monitor subnets, some folks run a
> > single-machine Bro cluster with multiple interfaces and then send each
> > subnet's traffic to one interface. That can work pretty well in
> > practice, but might not apply to your situation.
> >
> > Robin
> >
> > On Thu, Apr 28, 2016 at 15:43 +0200, Sven Dreyer wrote:
> >
> >> Glenn,
> >>
> >> Am 27.04.2016 um 14:57 schrieb Glenn Forbes Fleming Larratt:
> >>> Doesn't rsync default to using ssh as its transport? Also, I'm not sure
> >>> how using rsync vs. ssh improves things in the face of slow and
> >>> unreliable networking between nodes; can you elaborate?
> >>
> >> I thought of locally collecting bro logs and have a cron job
> >> transferring the log file(s) in regular intervals. If the network is
> >> down for 5 minutes, no problem, the log files will be transferred the
> >> next time the cronjob runs.
> >>
> >> if you use "rsync -e ssh", rsync uses SSH as transport, that's correct.
> >> But rsync has a standalone daemon mode and does not need SSH to be used.
> >>
> >> Thanks,
> >> Sven
> >>
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>
> >
> >
> >
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160514/d559c78f/attachment.html
More information about the Bro
mailing list