[Bro] misc-stats question
Seth Hall
seth at icir.org
Thu Sep 29 06:25:35 PDT 2016
> On Sep 29, 2016, at 8:50 AM, erik clark <philosnef at gmail.com> wrote:
>
> In misc-stats, we have a field in stats.lg labeled "plt_lag". What exactly is this measuring?
## Lag between the wall clock and packet timestamps if reading
## live traffic.
pkt_lag: interval &log &optional;
This could mean that packets are getting pulled from a queue somewhere after they're timestamped. It doesn't necessarily mean a whole lot, but it could be an interesting data point in some circumstances.
> Also, in a reasonable deployment, what should we see as far as events_queued. Should this be close to zero? I am seeing a packet lag of 2.0-2.5, and several million events queued.
## Number of events that have been queued since the last stats
## interval.
events_queued: count &log;
This depends on your report interval (it's 5min by default) since it's reporting the number of events queued in the last report interval. You probably don't want it to be zero, it would mean that Bro isn't doing anything. Events are how almost all script execution happens too so I'd expect it to be reasonably high in many circumstances. In your case, this just means that you had several million events queued in a 5min period which would seem ok to me, but we don't have much data on this yet.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list