I’m running into an issue where I’m seeing multiple entries in my logs for a single event which is duplicated 4 times. The entries are all identical except for the UID. I’m running 4 worker processes on the server monitoring one interface.
node.cfg:
[manager]
type=manager
host=10.1.26.22
[proxy]
type=proxy
host=10.1.26.22
[bro-eth0]
type=worker
host=10.1.26.22
interface=eth0
lb_method=pf_ring
lb_procs=4
Any thoughts?
Thanks in advance,
Brendan
It sounds like something isn't installed correctly. Did you successfully build Bro against the pf_ring libpcap wrapper? Your traffic isn't load balancing and each worker is getting the full stream.
Maybe you could show us your configure command? You can see exactly what you did if you go to your source and look at build/config.status
.Seth
Make sure lsmod shows that the pf_ring module is loaded. If its not loaded, modprobe pf_ring
Or verify the eth0 interface is running with pf_ring by checking /proc/net/pf_ring/dev/eth0/info