[Bro] Bro-2.5.2 and PF_RING 6.7 not load balancing properly
Azoff, Justin S
jazoff at illinois.edu
Wed Jan 31 08:25:37 PST 2018
> On Jan 30, 2018, at 3:07 PM, Lamps, Jereme <jlamps at sandia.gov> wrote:
>
> It appears PF_RING is not properly load balancing between Bro instances. For example, I have a single Bro node with 5 bro procs. Every entry in http.log is duplicated 5 times (exact timestamp and all fields are identical except the UID). My conclusion is pf_ring is not splitting the traffic and that all procs are seeing all the traffic.
You may be running into an issue that was recently fixed in broctl and will be resolved in the next release. Depending on the order you install things in, pf_ring load balancing can end up disabled.
What does the following output for your host?
[root at bro-dev ~]# broctl config | grep pfring
pfringclusterid = 21
pfringclustertype = 4-tuple
ringfirstappinstance = 0
if you have pfringclusterid set to 0, that's the problem that was just fixed. You can easily workaround that by adding
PFRINGClusterID = 21
to your /usr/local/bro/etc/broctl.cfg
Once that is there, a broctl deploy should get everything working.
—
Justin Azoff
More information about the Bro
mailing list