[Bro] BRO with PF_Ring multiplies log records
Azoff, Justin S
jazoff at illinois.edu
Fri Aug 10 08:07:55 PDT 2018
> On Aug 10, 2018, at 7:44 AM, Yasha Levin <ee-berry at yandex.ru> wrote:
>
> Mark, thanks for your response
>
> I've tried setting PFRINGClusterID as you advised. Unfortunately that hasn't changed anything - I still see that each event is multiplied by number of processes (x4 in my case). So each flow hits all the processes, with no actual balancing between them.
>
> Anything else I could check?
Can you confirm that
broctl config | grep pfring
outputs something like
pfringclusterid = 21
pfringclustertype = 4-tuple
There was a problem with this configuration the bro-pf_ring plugin, but I got that fixed last September.
Did you install the plugin recently?
—
Justin Azoff
More information about the Bro
mailing list