Cluster minimal logs on manager

Jamie_Saker · March 22, 2016, 6:14pm

After upgrading/reinstalling the OS on my Bro manager, with a network of a dozen workers, I’ve managed to end up where I’m only seeing minimal logs at the manager (the manager is also the sole proxy):

communication.log
loaded_scripts.logreporter.log
stderr.log
stdout.log

When I run Bro standalone on one of the sensors, all is well again. I’ve exchanged the keys so that Bro can manage the workers just fine but apparently the logging isn’t being communicated correctly. Any recommendations other than rebuilding sensors from the OS up? I also know the sensors are seeing good traffic - Snort runs just fine on a tested sensor along with tcpdump, etc.

Thanks -

Jamie

Azoff_Justin_S · March 22, 2016, 6:44pm

Can your workers connect to your manager on tcp port 47761-47763 or so?

You probably want an iptables rule similar to

iptables -A INPUT -s your.subnet.here/24 -p tcp -m multiport --dports 47000:48000 -m comment --comment "200 accept bro cluster connections" -j ACCEPT

on the different machines so everything can communicate properly.

Jamie_Saker · March 22, 2016, 7:02pm

Justin -

That was it! Sigh… a little over-eager UFW implementation. I added the range and that did the trick. Now to lock it down to only sensor IPs… Thank you so much.

Cheers -

Jamie

Topic		Replies	Views
Bro manager dies in a large cluster Zeek	1	77	May 6, 2022
bro logs stopped Zeek	2	101	May 6, 2022
Manager and logger threads crash immediately on deploy Zeek	5	98	May 6, 2022
cluster manager log buffering Zeek	1	88	May 6, 2022
required ports open for cluster? Zeek	8	86	May 6, 2022

Cluster minimal logs on manager

Related Topics