PF_RING Help Needed

promerocenic · October 12, 2017, 9:14pm

All,

I’ve been meaning to get PF_RING going for a while and am now trying to focus on getting it working. Until now I’ve been running the “standalone” [bro] config at the top of my node.cfg output below. I’ve been thru the past threads and came across some info related to output that might confirm if pf_ring and bro were compiled together correctly. Below I’ve add the output of some of the commands suggested for input on troubleshooting the issue.

I suspect an error in some part of my config or setup since I don’t get any usable logs when the load-balance/pf_ring node.cfg setting are enabled. If I comment them out and do a broctl deploy usable logs immediately appear in my log directory. Any hints or suggestions as to why my pf_ring configuration is not working would be greatly appreciated. Let me know if any additional details I need to provide would help shed some light on my issue.

[root@xxx-bro-1 etc]# cat node.cfg

Example BroControl node configuration.

Azoff_Justin_S · October 12, 2017, 9:22pm

Can you clarify specifically which lines you are commenting out? Does the below configuration work?

[manager]
type=manager
host=localhost

[proxy-1]
type=proxy
host=localhost

[worker-1]
type=worker
host=localhost
interface=ens2f0

promerocenic · October 12, 2017, 9:31pm

I comment out all the [manger], [proxy-1], and [worker-1] lines (including the names) below and re-enable the below standalone [bro] lines.

[bro]
type=standalone
host=localhost
interface=ens2f0

promerocenic · October 12, 2017, 9:41pm

I just tried the below node.cfg setting and it did not seem to fix the issue. The weird thing is that I never really get a noticeable error during the startup process. It says stuff is running, but I just don't get any logs. I also am not able to pull a "broctl netstats" output when load-balancing is configured, but I can when it is not.

Azoff_Justin_S · October 12, 2017, 10:01pm

OK! This is not a load balancing problem or a pf_ring problem at all.

The different bro processes are unable to connect to each other. Check that 'localhost' resolves to 127.0.0.1 and that you don't have any iptables rules applied to the lo interface that would be preventing processes from reaching each other.

promerocenic · October 12, 2017, 10:12pm

Success, for now. I put back my original lb node.cfg config and turned off the local firewall to see if stuff would work. It does. Now I need to get my system admin team to adjust their standard server firewall config to allow the bro processes to talk locally. Thanks for the help.

Philip

James_Lay · October 12, 2017, 10:13pm

Make sure you've followed this:

https://www.bro.org/documentation/load-balancing.html

Also, your logs may no longer be in spool, but might be in manager or logger directories.

James

Topic		Replies	Views
So before I upgrade (pf_ring revisit) Zeek	3	64	May 6, 2022
Quick pf_ring question Zeek	5	57	May 6, 2022
PF_RING Clustering Problem Zeek	4	54	May 6, 2022
Version: 2.0-907 -- Bro manager memory exhaustion Zeek	1	57	May 6, 2022
Building Bro with PF_RING Zeek	1	57	May 6, 2022

PF_RING Help Needed

Example BroControl node configuration.

Related Topics