Hi All,
I’m just getting started with Bro. So far I’m really liking the data I get, even just out of the box. I’ve got one standalone host running with PF_RING enabled, 8 workers. I am also testing multi host clustering, and have two worker hosts running 6 workers each (again, with PF_RING) with the master and proxy running on a third host. All three worker hosts are being fed tap data from an Arista Networks 7150. The standalone host is getting data from a regular Tool port, and the other two are getting it from a PortChannel. Both tool ports are connected to the same Aggregation Group, so both Bro systems should be getting exactly the same data.
As expected, the standalone box has a much higher CPU load, and it occurred to me today that I should bump the number of workers down so I could free up a core for the manager. I got some stats from yesterday…
Single Bro Host