[Bro] Running specific scripts on specific workers

Dave Crawford bro at pingtrip.com
Sat Mar 11 15:43:09 PST 2017


I have a cluster that has three workers configured in node.cfg and I’m looking for the best approach for limiting the scripts on each. For example, with v2.4 this style config in local.bro worked great:

# CONDITIONAL SCRIPT LOADING #
@if ( Cluster::is_enabled() )
  # INTERNAL ONLY - Matches on workers (MID_INT-1), proxies (MID_INT_PXY_1), and manager (MGR_INT).
  @if ( /^.{3,3}_INT.*/ in Cluster::node)
      # load internal specific scripts here
  @endif

  # GLR ONLY - Matches on workers (MID_GLR-1), proxies (MID_INT_PXY), and manager (MGR_INT).
  @if ( /^(MID_GLR|[DIMNW]{3,3}_INT_PXY|MGR_INT).*/ in Cluster::node )
    # Load GLR specifc scripts
  @endif

  # DNS ONLY - Matches on workers (MID_GLR-1), proxies (MID_INT_PXY), and manager (MGR_INT).
  @if ( /^(MID_DNS|[DIMNW]{3,3}_INT_PXY|MGR_INT).*/ in Cluster::node )
    # Load DNS specifc scripts
  @endif
@endif

However, I’ve started seeing an oddity since moving to v2.5 where some events in notice.log have an entirely unrelated “note” value. If I remove the conditional script loading, and load all scripts everywhere, the problem goes away.

I did limited testing with “aux_scripts” in nod.cfg but was unsure of the proper config. I vaguely recall reading that if scripts weren’t loaded on the proxies and manager, as well as the worker, things could malfunction.

Would a better approach be to move conditional logic into the specific scripts themselves? For example, if node ==“GLR” then exit.
 
-Dave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170311/f5f2d001/attachment.html 


More information about the Bro mailing list