[Bro] Knowing when a worker crashes
Aashish Sharma
asharma at lbl.gov
Wed Feb 14 16:22:07 PST 2018
> What is the easiest way to monitor if a worker crashes?
> And if a worker crashes, is there a way to automatically bring it back up?
1) broctl cron helps. Running it every N (5?) mins will check if any worker has
crashed and will restart those:
### broctl cron: process and disk maintenance
*/5 * * * * /usr/local/bin/randsleep 59 && broctl cron
> What is the easiest way to monitor if a worker crashes?
Additional checks (nagios plugins) that help:
2) Bro process counts :
each bro worker is two bro process + 1 run-bro process - so a nagios monitor (or a simple bro process count helps too).
3) conn log line counts :
A while ago, I experienced a issue where bro process count checks out but bro
won't process the packets on the interfaces. So there is another check which
counts how many conn logs each worker is generating and if there is a
discripency (or a worker missing), it generates an alert.
for this you'd have to load conn-peer.bro : https://gist.github.com/JustinAzoff/446d0abba2c6dd8ff242
Hope this helps,
Aashish
On Wed, Feb 14, 2018 at 06:23:51PM -0500, Ambros Novak wrote:
> Hello,
>
> What is the easiest way to monitor if a worker crashes?
> And if a worker crashes, is there a way to automatically bring it back up?
>
> Ambros
>
> Sent from my iPhone
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list