I have a cluster running Bro 2.6.4. One host runs a manager and logger, 8 other hosts run proxy and worker nodes.
Lately the logger node has not been able to keep up with the logs, and I’ve noticed that the most recent entries in the current/conn.log are significantly delayed (I’ve seen delays as high as 90 minutes).
The logger process has maxed out CPU usage on core 1. The node.cfg file specifies 8 CPU cores (all on the same NUMA node as the NVMe drive where the logs are written):
broctl nodes shows that only 1 CPU core is pinned:
logger - addr=10.x.x.x aux_scripts= brobase= count=1 env_vars= ether= host=bromanager-01.umn.edu interface= lb_interfaces= lb_method= lb_procs= name=logger pin_cpus=1 test_mykey= type=logger zone_id=
Can pin_cpus be used with a logger node? Any other suggestions for improving logger performance?