[Bro] intel.log file stops getting generated.
Azoff, Justin S
jazoff at illinois.edu
Wed Jan 25 10:13:15 PST 2017
Interesting, so all of your workers are pretty much the same at
worker-1-12 worker wrk1.xx.xx.xx 78972 parent 5G 5G 6% bro
worker-1-12 worker wrk1.xx.xx.xx 78994 child 428M 269M 0% bro
Do you have any system monitoring graphs that would show memory usage over time? I wonder if they are quickly growing to 5G at startup, or if they are slowly growing over time. In a pinch, you can do things like throw something like (date;broctl top) in cron and send the output to a file.
Are you loading misc/detect-traceroute or misc/scan.bro ?
--
- Justin Azoff
> On Jan 25, 2017, at 1:02 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>
> Forgot to mention about the arch. of cluster:
> 1 manager node (which is defined as logger as well)
> 4 worker nodes (which are defined as proxies as well)
>
> Before (in 2.4.1) we used to have manager act as proxy, but because of performance issue (i.e bro unable to rotate logs on manager), moved the proxy functionality to the workers.
>
> Attaching the output of 'broctl top', as it will swamp this email with text if pasted in the body :-)
>
> Thanks,
> Fatema
>
>
>
> On Wed, Jan 25, 2017 at 12:47 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:
> > On Jan 25, 2017, at 12:45 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
> >
> > Hi Justin,
> >
> > Thanks for suggestions.
> > Here are the stats (Looks like bro using pf_ring correctly though):
>
> Yes.. that is how it should look.. very important to verify that before checking anything else :-)
>
> What does your 'broctl top' output look like?
>
> That will break things down by each process
>
> --
> - Justin Azoff
>
>
>
> <broctl_top.txt>
More information about the Bro
mailing list