trouble of running multiple bro instances

john_Y1 · August 27, 2018, 3:40pm

Hello all!

I am facing with a lot of network traffic saved in pcaps and need to parse them very fast.
I tried using broctl but unfortunately it could not use all computer hardware.
So, I am running script which invoke a lot of bro instances, one for each pcap.
I am using my own bro script which dippend on bro http log and con log files.
Because each instance write his logs to the same folder, they run over each other.
Creating directory for each instance is too complex and not enough dynamically.

Can you offer something better?
Maby there is a way to make each instance save his logs to a different dir?
My invoke looks something like this :
" bro -C -r pcap_path bro_script_path "

johanna · August 27, 2018, 3:55pm

Hi John,

The typical solution for this is to write a short shell script wrapper that is invoked, instead of invoking Bro directly. That script can create the folders and put Bro in the correct folder to which the log files should be written.

The script can be as easy as

mkdir $1
pushd $1
bro -r /path/to/pcaps/$1.pcap

Or similar.

Topic		Replies	Views
Log file issues Zeek	2	100	May 6, 2022
Overwriting logs Zeek	3	70	May 6, 2022
Monitoring a directory and running bro on the PCAPs Zeek	8	191	May 6, 2022
Bro -r using multiple PCAP Zeek	5	257	May 6, 2022
BRO: the log files aren't the same every time Zeek	2	77	May 6, 2022

trouble of running multiple bro instances

Related topics