Dear list,
I'd like to operate 3 workers in different subnets. Unluckily, the network connection between manager/proxy and these subnets is really slow (around 500 kBit/s) and has frequent outages.
Is there a possibility to synchronize the nodes without the necessity to use SSH? Perhaps by a frequent file transfer using rsync?
Thanks and best regards,
Sven
I don't think I would feel comfortable running a cluster in the way you
describe. Generally speaking, you want cluster nodes to all exist on the
same layer 2 network.
Sven,
Doesn't rsync default to using ssh as its transport? Also, I'm not sure how using rsync vs. ssh improves things in the face of slow and unreliable networking between nodes; can you elaborate?
Best, -g
Thanks Stephen, do you know of a better way to have one bro instance that monitors multiple subnets?
Best regards, Sven
Glenn,
Doesn't rsync default to using ssh as its transport? Also, I'm not sure
how using rsync vs. ssh improves things in the face of slow and
unreliable networking between nodes; can you elaborate?
I thought of locally collecting bro logs and have a cron job transferring the log file(s) in regular intervals. If the network is down for 5 minutes, no problem, the log files will be transferred the next time the cronjob runs.
if you use "rsync -e ssh", rsync uses SSH as transport, that's correct. But rsync has a standalone daemon mode and does not need SSH to be used.
Thanks,
Sven
Actually BroControl is already using rsync over SSH, but it needs SSH
for other stuff as well, as it runs commands on the worker nodes. The
rsync is used for transferring the Bro setup over to the workers. The
logs on the other hand are sent back via Bro's internal communication,
neither SSH nor rsync involved there.
Changing any of this remains tricky currently. However, we are planing
to switch to a different deployment model eventually where each node
maintains its Bro setup itself (so no rsync necessary anymore) and
also keeps a persistent broctld running for inter-node communication
(so no SSH executing commands anymore).
With regards of other approaches to monitor subnets, some folks run a
single-machine Bro cluster with multiple interfaces and then send each
subnet's traffic to one interface. That can work pretty well in
practice, but might not apply to your situation.
Robin
Thanks for the detailed information, Robin. We are unable to send the traffic of each subnet to a central bro instace because the interconnection speed is about 500 kBit/s, while the subnets have 100 MBit/s or Gigabit Ethernet.
I am aware that rsync over SSH is already used. I was just searching for a "non-persistent" connection between the workers and the central manager/proxy because of frequent outages of the interconnection lines.
Thanks!
Sven
I would just run independent bro servers at each location and aggregate the logs to a central location out of band with a periodic rsync or perhaps a shipper like logstash. Assuming the clocks are in sync with ntp it’d be easy enough to correlate logs.