[Bro] intel.log file stops getting generated.

Azoff, Justin S jazoff at illinois.edu
Wed Jan 25 09:23:59 PST 2017


> On Jan 25, 2017, at 12:18 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
> 
> It turns out to be the performance issue.
> I restarted the bro cluster and it started getting generated, but have another issue:
> The bro sensors are utilizing almost 100% memory as well as some part of swap.
> 
> We recently have upgraded the kernel and centos to 7.3 on bro cluster, as well as using latest pfring v6.4.1
> We have 4 bro sensors each with 132G of memory and 24 core cpu @ 2.50GHz with 48 On-line CPU(s) (0-17)), and each running 22 bro processes.

with pf_ring the first thing to check would be to verify that bro is using pf_ring correctly.  If it's not, you end up analyzing 100% of the traffic 22 times.

If you do a

    ls -l /proc/net/pf_ring/

and

    cat /proc/net/pf_ring/info

it should show rings in use and one file per bro process, like:

-r--r--r--. 1 root root 0 Jan 25 11:23 36549-p1p1.376
-r--r--r--. 1 root root 0 Jan 25 11:23 36552-p1p1.369
-r--r--r--. 1 root root 0 Jan 25 11:23 36561-p1p1.377
-r--r--r--. 1 root root 0 Jan 25 11:23 36581-p1p1.372
-r--r--r--. 1 root root 0 Jan 25 11:23 36594-p1p1.375
-r--r--r--. 1 root root 0 Jan 25 11:23 36600-p1p1.378
-r--r--r--. 1 root root 0 Jan 25 11:23 36608-p1p1.371
-r--r--r--. 1 root root 0 Jan 25 11:23 36611-p1p2.373

-- 
- Justin Azoff




More information about the Bro mailing list