Hi everyone
Today successfully installed Bro as a standalone worker on an ubuntu system, it has 16cores, 8GB ram (can be expanded) and about 2TB of disk. Its receiving traffic from a passive fibre network interface.
The interface configuration is as follows
br0 - bridged interface
p1p1 - RX of fibre
p1p2 - TX of fibre
br1 - Bridged interface
p2p1 - RX of fibre
p2p2 - TX of fibre
So i have br0 configured and being monitored correctly. br0 is monitoring one part of the network up towards public facing infrastructure and br1 is monitoring more local stuff so its not NAT’d and closer to the hosts.
As it is one physical system with 2 interfaces what is the best way for my to monitor both feeds and log it correctly. All of my logs are being fed into a SIEM with JSON output.
Can i have separate roles configured on the one physical system and each interface being defined as a separate worker?
So PF_RING as the front end, then a manager and proxy but each worker defined within the Cluster worker config as the same host but different interfaces.
Or should i suggest getting additional hardware and splitting the interfaces? it seems a little silly that one worker can only monitor one interface i thought. thats why i thought id ask here first.
Thanks,
John