[Bro] Manager swapping..

fatema bannatwala fatema.bannatwala at gmail.com
Thu Mar 23 07:56:25 PDT 2017 

Nope, based on our previous discussion in another thread,
I disabled the misc/scan, and loaded scan-NG-master script.
I always thought that the scripts would have more load on workers than
manager.
When I was seeing memory issues on workers, I stopped using misc/scan and
switched to
the scan-NG script.
Didn't know that it would impact manager performance as well, hmm.

On Thu, Mar 23, 2017 at 10:43 AM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On Mar 23, 2017, at 7:40 AM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > Thanks Justin for the input :)
> >
> > I restarted Bro after disabling some of the protocols logging (like rdp,
> syslog, snmp etc) yesterday afternoon,
> > as the machine is in production and needed to be fixed kind of "ASAP".
> Hence couldn't get a chance to run
> > the broctl top while having the issue, I know you have mentioned it
> couple of times in past to use "broctl top"
> > instead of normal "top", but magically I keep forgetting to do that, I
> think I should come up with by BRO troubleshoot
> > guide, which should list some basic troubleshooting commands that you
> guys suggest in these emails :)
> >
> > Anyways, I did run the command today, and it looks like the manager
> process is overwhelmed,
> > hmm I thought that it might logger that might be having issues catching
> up on the load, but I was wrong:
> >
> > $ sudo -u bro /usr/local/bro/2.5/bin/broctl top manager logger
> > Name         Type    Host   Pid     Proc    VSize  Rss  Cpu   Cmd
> > logger       logger   IDS   60928    parent    2G    90M  17%  bro
> > logger       logger   IDS   60932    child   522M   246M   5%  bro
> > manager      manager  IDS   60990    child     1G   257M  35%  bro
> > manager      manager  IDS   60973    parent  222G    31G  23%  bro
> >
> > It makes me think, if there is some memory leak issue with manager.
>
> Are you loading misc/detect-traceroute or misc/scan in your local.bro?
>
> --
> - Justin Azoff
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170323/97f93b4a/attachment.html

More information about the Bro mailing list