[Bro] is there a bro script to ignore duplicated logs?

fatema bannatwala fatema.bannatwala at gmail.com
Thu Oct 4 05:57:14 PDT 2018


How many workers do you have in your cluster?
Many months ago, we had split-ed connections issue, where Seth provided a
script to add the worker node to conn.log to see where exactly packets are
being processed,i.e. which nodes.

You can run this script and see if the duplicate connections are happening
on which workers and go from there:

$ cat add-node-to-conn.bro
##! Add the name of the current node to conn.log

@load base/protocols/conn

export {
        redef record Conn::Info += {
                ## The name of the node where this connection was analyzed.
                node: string &log &optional;
        };
}

event connection_state_remove(c: connection) &priority=2
        {
        c$conn$node = peer_description;
        }
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181004/e2dcd517/attachment.html 


More information about the Bro mailing list