Adding more bro workers

John_Edwards · November 24, 2016, 8:40am

Hi all,

As i have a standalone bro worker at the moment i am wanting to branch out and add more workers to the same link because of a high rate of packet loss.

the worker has the fibre card receiving the direct packet stream from our TAP. When i upgrade to cluster mode i will be building two more systems, one for the management/proxy/logger and then another worker.

As one worker will have the fibre card how does the worker number 2 or 3 or 4 in the future receive traffic to assist in processing the data feed? is the load shared between workers that reside on the same subnet? as the feed from the tap is just a passive fibre feed with no routing configured on it.

i hope each worker doesnt need to have a fibre card added into the same tap point.

Cheers
John

JonZeolla · November 24, 2016, 10:52am

In my scenario we use a switch (specifically an arista 7150 with a Z licence) to do symmetric load balancing to a cluster of bro sensors. That requires that all of my sensors have the appropriate NICs (myricoms for me).

Check out what the architecture documentation refers to as the frontend. https://www.bro.org/sphinx/cluster/index.html#frontend

Jon

Topic		Replies	Views
New Bro cluster Zeek	1	95	May 6, 2022
New Cluster configuration Zeek	4	76	May 6, 2022
Bro Cluster Missing Many HTTP Requests Zeek	1	78	May 6, 2022
About Bro Cluster Configuration Zeek	3	102	May 6, 2022
#943: PF_Ring plugin to support load balancing while sniffing multiple interfaces Development development	3	151	May 6, 2022

Adding more bro workers

Related topics