14 Jan
2012
14 Jan
'12
7:05 p.m.
All,
Saw a similar issue discussed here:
http://permalink.gmane.org/gmane.comp.security.detection.bro/4055, but
I am not using pf_ring to load balance and this was working for me not
long ago while running beta. I am thinking maybe a permissions issue?
[localhost]$ sudo broctl netstats
worker-1: <error: cannot connect to 192.168.0.5:47763>
worker-2: <error: cannot connect to 192.168.0.5:47764>
worker-3: <error: cannot connect to 192.168.0.5:47765>
worker-4: <error: cannot connect to 192.168.0.5:47766>
worker-5: <error: cannot connect to 192.168.0.5:47767>
worker-6: <error: cannot connect to 192.168.0.5:47768>
worker-7: <error: cannot connect to 192.168.0.5:47769>
worker-8: <error: cannot connect to 192.168.0.5:47770>
Everything seems to be running like it should though: (Except the ???'s)
[localhost]$ sudo broctl status
Name Type Host Status Pid Peers Started
manager manager 192.168.0.5 running 19387 9 14 Jan 20:33:07
proxy-1 proxy 192.168.0.5 running 19423 ??? 14 Jan 20:33:09
worker-1 worker 192.168.0.5 running 20539 ??? 14 Jan 20:33:11
worker-2 worker 192.168.0.5 running 20541 ??? 14 Jan 20:33:11
worker-3 worker 192.168.0.5 running 20546 ??? 14 Jan 20:33:11
worker-4 worker 192.168.0.5 running 20549 ??? 14 Jan 20:33:11
worker-5 worker 192.168.0.5 running 20552 ??? 14 Jan 20:33:11
worker-6 worker 192.168.0.5 running 20556 ??? 14 Jan 20:33:11
worker-7 worker 192.168.0.5 running 20558 ??? 14 Jan 20:33:11
worker-8 worker 192.168.0.5 running 20560 ??? 14 Jan 20:33:11
[localhost]$ sudo broctl capstats
Interface kpps mbps (10s average)
------------------------------
192.168.0.5/eth10 2.1 10.6
192.168.0.5/eth11 1.9 8.6
192.168.0.5/eth4 1.7 6.3
192.168.0.5/eth5 1.8 8.3
192.168.0.5/eth6 2.5 9.0
192.168.0.5/eth7 1.2 4.3
192.168.0.5/eth8 1.8 7.8
192.168.0.5/eth9 2.3 11.1
Total 15.3 66.0
Also, I am wondering what kind of issues I might run into managing
several geographically disparate clusters from a single manager.
Currently, I have each setup as a separate bro cluster. I am most
concerned about the amount of traffic and possible congestion this
might cause. Is there a way to measure the amount of traffic between
the workers and manager if all are on the same server? Would there be
major drawbacks by having the manager on a remote server, like
potential delayed or dropped communications?
Thanks in advance for the feedback.
-Will
15 Jan
15 Jan
8:10 p.m.
On Jan 14, 2012, at 10:05 PM, Will wrote:
[localhost]$ sudo broctl netstats
worker-1: <error: cannot connect to 192.168.0.5:47763>
Everything seems to be running like it should though: (Except the ???'s)
All of the output indicates that there is either a problem with your broccoli-python
bindings, a firewall issue (not likely in your case since they all seem to be running on a
single host), or there could be other Bro processes that have accidentally been forgotten
about. To help debug this, could you send me…
- The content of node.cfg
- The output from the "ps.bro" command in broctl
- A snippet from your manager's communication.log when you try to run
"netstats".
You might also want to try removing the old installation and reinstalling (save your site/
directory!). I'm starting to suspect that something may have happened recently that
is causing this to be a problem with the broccoli-python bindings if you reinstall in
place.
Also, I am wondering what kind of issues I might run
into managing
several geographically disparate clusters from a single manager.
Currently, I have each setup as a separate bro cluster. I am most
concerned about the amount of traffic and possible congestion this
might cause.
This is a very similar deployment model to the deep cluster we've been talking about
for a little while but this is more of a shallow cluster model. :) I don't have any
experience yet with people using remote managers, I suppose a lot of potential performance
problems could come from the workers -> manager connection not being fast enough.
I'd be glad to work on it directly with you, it would be great to finally get some
relevant experience with that deployment model.
Is there a way to measure the amount of traffic
between
the workers and manager if all are on the same server?
You can always run tcpdump on your loopback interface. Capstats should even work on the
loopback interface. Unfortunately, you'd only be able to filter down easily to
traffic that is being sent to your manager. Traffic sourced from your manager process
would be a bit harder, but there isn't much of that fortunately.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
16 Jan
16 Jan
8:20 a.m.
[localhost]$
sudo broctl netstats
worker-1: <error: cannot connect to 192.168.0.5:47763>
Everything seems to be running like it should though: (Except the ???'s)
All of the output indicates that there is either a problem with your broccoli-python
bindings, a firewall issue (not likely in your case since they all seem to be running on a
single host), or there could be other Bro processes that have accidentally been forgotten
about.
5:33 p.m.
On Jan 16, 2012, at 11:20 AM, Will wrote:
Just FYI, Seth nailed it. I had re-installed new bro
over old bro
before stopping the running processes.
Good to hear that it's working for you now. This is actually a problem we're
planning on addressing too. The related ticket is here:
http://tracker.bro-ids.org/bro/ticket/253
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
3610
days inactive
3612
days old
3 comments
2 participants
participants (2)
-
Seth Hall -
Will