bro cluster and load balancers

Zeek
1

I still do not understand this… If I have

  1. 1 manager node
  2. 1 logger node
  3. 2 worker nodes

and I load balance between the two worker nodes, how, if at all, does the manager know if a session is split across multiple worker nodes? The worker nodes (as mentioned before) would have to spit considerable amounts of traffic information back up to the manager node. My load balancer uses 5 tuples to determine where to send traffic for a given session. I need to limit the number of physical servers assigned to this cluster due to budgetary constraints, and ideally, 2 stand alone worker/manager/logger all in one systems would be more doable than 3 or 4 physical systems. I am under the impression that in the previous thread on this, load balancing in this way is impossible since conn tracking wouldn’t work without a manager handling both worker hosts???

2

and I load balance between the two worker nodes, how, if at all, does the
manager know if a session is split across multiple worker nodes? The worker
nodes (as mentioned before) would have to spit considerable amounts of
traffic information back up to the manager node. My load balancer uses 5
tuples to determine where to send traffic for a given session.

I guess by session you mean connection: If your load balancer uses
5-tuples *symmetrically* there shouldn't be any split connection.
Accordingly each connection can be analyzed by a worker without
interaction with other nodes. State that is shared across the cluster
depends on the scripts (e.g., scan.bro), which build upon the events
spit out by the analyzers. So there is no need to send traffic to other
nodes of the cluster.

Jan