[Bro] Bro cluster's CPU usage
Seth Hall
seth at corelight.com
Mon Nov 6 05:21:25 PST 2017
On 5 Nov 2017, at 17:37, Shuai Hao wrote:
> Bro is running with the cluster mode, and the pf_ring is enabled to
> utilized the dual cores. We use iperf to send traffic with controlled
> target bandwidth to investigate the cpu usages of bro's processes.
That's not a good way to test Bro performance unless iperf traffic is
what will be monitored when you move to operational use. Since Bro is
so heavily centered around packet parsing and logging you are just
overwhelming certain areas of Bro and not even executing other areas of
it.
> The question is that sometimes we see a significant increase (60%~70%)
> from
> cpu usages from two loggers' processes ($~bro/bin/bro -U .status -p
> broctl
> ... logger ...). How we should understand the resources consumed by
> the
> loggers? For our case, what is the reasonable approach to evaluate
> Bro's
> cpu usage?
Those two logger processes you are seeing are actually a parent and
child. The child does the socket communication with the other Bro
processes and the parent is the Bro process. You will see increased cpu
utilization from the logger as more logs are written. The next question
that is brought up is what logs are being written. It's not always easy
to guess.
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro
mailing list