Hope someone out there is still subscribed to this list. I am migrating
Bro to a load balanced cluster. Since the traffic will be split between
16 or more worker nodes, I suspect I will need to run a separate
instance of Time Machine on each worker. This means I will have to
query 16+ machines, which will get a bit cumbersome.
Is there a more elegant way to set this up? I recall seeing TM cluster
mode in the todo meta ticket. Are there any options available today?
The way we are currently doing this is to have an altogether separate feed going to
a standalone TM instance. Since bro can talk to TM, we just point bro
using "TimeMachineHost=<ip-addr>" in the broctl.cfg file
Also on TM you need to enable TM to listen to the bro connections by
setting up the following in the tm.conf:
bro_listen 1;
bro_listen_port 47757; # 47757 is default
bro_listen_addr <IP on cluster-manager> ; # 127.0.0.1 is default
This should save you trouble to aggregating the the split traffic.
I am sure there are better/other ways to do the same, but this is what
we have in deployment here.
By separate feed, are to talking separate mirror port? I'm currently
splitting 10 Gbps with the load balancer. I was wondering more how to
capture that data with TM. Is your TM server capturing at 10 Gbps, or
whatever speed you are sending to bro? My current worker servers only
have 1 Gb interfaces. I haven't looked at putting a 10 Gb card into one
of them. Can newer servers handle feeding 10 Gbps to TM?
No, not really. A student once started to work on cluster support for
the TM, in the form of a TM proxy that would run on the manager and
relay queries/replies to/from the individual nodes. But that never got
very far unfortunately.
If you have a second mirror port, a separate TM machine with a 10G
interface (as Aashish wrote) might be the best solution right now,
assuming it can handle the load.