deep cluster documentation & status

Zeek
1

Is there any additional documentation on the deep cluster as noted here:

https://www.bro.org/development/projects/deep-cluster.html

I would like to contribute to this, but the status of this project is unclear from the documentation, and there are some requirements that need to be laid out in Bro itself to make this work, such as logging the hostname associated with a given worker node in every log file in order to track node health.

The @stats option gives you incremental information for all node types, BUT, that is all it does. Determining from incremental counters when Bro fails or loses capture through a network connectivity issue becomes impossible when all the data in the logger node is intermingled. Having the hostname in all the logs means you can simply track the event count rate (non-incremental) in your visualization tool of choice, like ELK or Splunk.

2

Hello Eric,

Is there any additional documentation on the deep cluster as noted here:

https://www.bro.org/development/projects/deep-cluster.html

There is not as far as I know. Also - note that this is a project
description and there is no guarantee that anything that is described in
there is working or will work like that in the future. It also is not
anywhere close to done as far as I know.

The best person to contact with questions about this is probably Mathias
Fischer (mfischer@informatik.uni-hamburg.de).

Johanna