I followed this howto http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html however I am finding bro is now reporting 4 of everything so the load balancing isn’t working. How can I verify PF_RING is load balancing or what could I be missing? Is there a better document I should be looking at?
Jeff
Those directions are outdated. Instead of configuring separate workers you should configure a single worker per interface you are sniffing like this…
[worker-1]
host=1.2.3.4
interface=eth0
lb_method=pf_ring
lb_procs=4
That will automatically enable the pf_ring load balancing and start up four processes that the traffic on eth0 is load balanced across.
.Seth
I updated the post to show the new, shorter config.
Awesome! Thanks Martin!
.Seth