Hi all,
If i have a cluster that contains 2 workers among a proxy and logger etc, Worker 1 watches and logs everything, Is there a way i can tell worker 2 to only log a specific protocol and not watch everything the Worker 1?
thanks
John
You can add worker-specific configuration to local.bro using the @if
directive.
For example something like...
@if ( Cluster::node == "worker-1" )
# things here will only be executed on node named worker-1
@endif
That being said - why exactly do you want to do that? In a traditional
cluster setting, the traffic is split eavenly among the workers and you
typically want everyone to perform exactly the same actions.
Johanna
Hi Johanna, Thanks for the info, I have 1 worker up at the border inspecting everything and another worker below a few firewall and IPS systems. i have just installed another worker below all these inspection points but because all workers feed into a SIEM there no need for the likes of the conn.log etc to be logging as much as it is off the same link duplicated into the SIEM as its charged based on consumption.
So if we had a worker below our inspection points only logging some of the log types we would still get the security benefit of having a worker placed there without the storage requirements.
Thanks John