[Bro] intel.log file stops getting generated.
Azoff, Justin S
jazoff at illinois.edu
Wed Jan 25 10:42:41 PST 2017
> On Jan 25, 2017, at 1:28 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>
> Yeah, all procs pretty much the same, not sure why there is a parent/child pair for each process, thought it would just be 22 processes per node, hmm interesting.
The child process handles the communication to the manager/proxies. These will go away once the conversion to broker is done.
> I think we don't have any system monitoring graphs on the workers (Looking into installing some tool to do that, was googling about the same :)).
> I can setup a cron to do broctl top and send the output to a file.
Munin is crazy easy to get up and running and does the job, but it's not the best monitoring system out there. You can also use things like sar to collect data and use something else to graph it.
> The misc/detect-traceroute script isn't loaded, but misc/scan is loaded in local.bro, was just about to configure Aashish's scan-NG script to detect other kind of scans as well, but
> seeing the boxes already swaping, chucked the plan :(
Ah.. if your network sees a lot of scan traffic, scan.bro could be what is killing your cluster.
If you run these commands, what values do you get?
wc -l conn.log
cat conn.log|bro-cut id.resp_p |fgrep -cw 23
cat conn.log|bro-cut history|sort|uniq -c |sort -rn|head
--
- Justin Azoff
More information about the Bro
mailing list