[Zeek] Question regarding distributed clustering with Zeek!
fatema bannatwala
fatema.bannatwala at gmail.com
Tue Jan 22 13:19:28 PST 2019
Hey Jon,
Thanks for the insights!
Makes sense, that's what I was wondering, that I can run a second manager
from another install with a different prefix on the same server,
have done that before but only for testing purposes, and just wanted to
make sure to ask the experts, if there's any other way, before moving with
that idea for production. :)
Also, for the same purpose, I was checking the ports currently in use on
manager and looks like it is using two ports currently to communicate with
the worker systems:
On manager: $ netstat | grep bro | cut -d':' -f2 | cut -d' ' -f1 | sort |
uniq -c | sort -rn
92 47762
92 47761
And top showing two manager and logger processes running, hmm that's why
using two ports?
$ top
top - 12:40:10 up 5 days, 20:37, 2 users, load average: 1.72, 1.78, 1.90
Tasks: 453 total, 5 running, 448 sleeping, 0 stopped, 0 zombie
%Cpu(s): 5.4 us, 2.7 sy, 1.0 ni, 90.6 id, 0.2 wa, 0.0 hi, 0.1 si,
0.0 st
KiB Mem : 10697342+total, 1324448 free, 16529272 used, 89119696 buff/cache
KiB Swap: 8388600 total, 8388600 free, 0 used. 89549296 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
26511 bro 20 0 366.9g 13.1g 7668 R 75.6 12.8 5710:39
/usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local
-p manager local.bro broctl base/frameworks/cluster local-manager.bro
broctl/auto
26552 bro 25 5 2671796 455148 1288 R 72.9 0.4 7010:04
/usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local
-p manager local.bro broctl base/frameworks/cluster local-manager.bro
broctl/auto
26465 bro 20 0 1092876 316760 7364 R 54.5 0.3 3294:08
/usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local
-p logger local.bro broctl base/frameworks/cluster local-logger.bro
broctl/auto
26484 bro 25 5 543848 433868 1260 S 19.1 0.4 1058:57
/usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local
-p logger local.bro broctl base/frameworks/cluster local-logger.bro
broctl/auto
On Tue, Jan 22, 2019 at 2:49 PM Jon Siwek <jsiwek at corelight.com> wrote:
> On Tue, Jan 22, 2019 at 11:20 AM fatema bannatwala
> <fatema.bannatwala at gmail.com> wrote:
>
> > Therefore wanted to ask if multiple managers (two potentially) can be
> setup on a single system for two separate Zeek clusters (internal and
> external)?
> >
> > Or does Zeek yet support distributed clustering?
>
> Don't think it's that sophisticated at the moment. You might get what
> you want if a single Bro/BroControl install had the ability to let a
> user dynamically choose which config file to use and then you can set
> up two different cluster configs on the same system (it's probably not
> too difficult to patch/hack in if you are desperate). Otherwise, I
> imagine a crude, but working solution is to have two installations on
> the same system using a different --prefix: they'd then have different
> config files and log dirs by default. There's also the matter of
> setting BroPort in each broctl.cfg far enough away from each other
> such that there's no port conflicts.
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/339dc136/attachment.html
More information about the Zeek
mailing list