[Bro] intel.log file stops getting generated.

fatema bannatwala fatema.bannatwala at gmail.com
Wed Jan 25 10:28:14 PST 2017 

Yeah, all procs pretty much the same, not sure why there is a parent/child
pair for each process, thought it would just be 22 processes per node, hmm
interesting.

I think we don't have any system monitoring graphs on the workers (Looking
into installing some tool to do that, was googling about the same :)).
I can setup a cron to do broctl top and send the output to a file.

The misc/detect-traceroute script isn't loaded, but misc/scan is loaded in
local.bro, was just about to configure Aashish's scan-NG script to detect
other kind of scans as well, but
seeing the boxes already swaping, chucked the plan :(

Thanks,
Fatema.

On Wed, Jan 25, 2017 at 1:13 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

> Interesting, so all of your workers are pretty much the same at
>
> worker-1-12  worker  wrk1.xx.xx.xx 78972   parent    5G     5G   6%  bro
> worker-1-12  worker  wrk1.xx.xx.xx 78994   child   428M   269M   0%  bro
>
> Do you have any system monitoring graphs that would show memory usage over
> time?  I wonder if they are quickly growing to 5G at startup, or if they
> are slowly growing over time.  In a pinch, you can do things like throw
> something like (date;broctl top) in cron and send the output to a file.
>
> Are you loading misc/detect-traceroute or misc/scan.bro ?
>
> --
> - Justin Azoff
>
> > On Jan 25, 2017, at 1:02 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > Forgot to mention about the arch. of cluster:
> > 1 manager node (which is defined as logger as well)
> > 4 worker nodes (which are defined as proxies as well)
> >
> > Before (in 2.4.1) we used to have manager act as proxy, but because of
> performance issue (i.e bro unable to rotate logs on manager), moved the
> proxy functionality to the workers.
> >
> > Attaching the output of 'broctl top', as it will swamp this email with
> text if pasted in the body :-)
> >
> > Thanks,
> > Fatema
> >
> >
> >
> > On Wed, Jan 25, 2017 at 12:47 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
> > > On Jan 25, 2017, at 12:45 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> > >
> > > Hi Justin,
> > >
> > > Thanks for suggestions.
> > > Here are the stats (Looks like bro using pf_ring correctly though):
> >
> > Yes.. that is how it should look.. very important to verify that before
> checking anything else :-)
> >
> > What does your 'broctl top' output look like?
> >
> > That will break things down by each process
> >
> > --
> > - Justin Azoff
> >
> >
> >
> > <broctl_top.txt>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170125/cfb8d871/attachment.html

More information about the Bro mailing list