Are there any benefits or issues with running a bro cluster on a single machine
instead of in standalone mode? I'm thinking that running it in cluster mode
from the start may make it easier to move to a cluster configuration in the
future, but I'm concerned that it might add unnecessary overhead in the mean
time.
I would just run in standalone mode. As far as I know (and Robin will know better), the only difference configuration-wise between standalone mode and cluster mode is the node.cfg file. If you run in cluster mode when you really only need standalone, you will have the overhead of extra bro processes running that aren't really necessary.
I would recommend that you stick to standalone mode for node and if you build a cluster eventually, the configuration steps necessary are going to be the least of your worries.
.Seth
That's right, once it's running. During the initial installation,
there's one more difference: the standalone puts the various *.cfg
files in place, while the cluster installation only installs
templates which one then has to copy to the right place oneself
(because they need more editing).
I would also recommend using the stand-alone mode as long as you
don't want to try leveraging multiple cores in your box by running
multiple processes.
Robin