On Thu, Sep 6, 2018 at 2:47 PM Azoff, Justin S <jaz...@illinois.edu> wrote:
> I just got 2 clusters upgraded from > > fa7fa5aa to > 452eb0cb > > And now everything is broken.. > > cpu and memory are through the roof across the board, as well as network > traffic, but it's not logging much. > > I may have created a message loop replacing the relay_rr stuff, but it's kind > of hard to tell. The recent forwarding changes would be my main suspicion and, at least in the default scripts, there's no communication patterns that actually make use of the automatic forwarding, so can you check if adding "redef Broker::forward_messages = F;" to site/local.bro makes a difference? If it does fix things, then yeah, either I missed a forwarding loop in the default scripts or potentially you introduced one when replacing relay_rr (feel free to point me at stuff to look over). (Generally may want to just leave message forwarding turned off due to these types of dangers if that's what it turns out to be...). > I guess one observation is that it is really hard to tell what bro/broker are > doing. Before you could minimally > tcpdump the communication and see what events were being sent back and forth, > but now that is encrypted. You can redef Broker::disable_ssl=T. I don't recall how readable the non-encrypted communications are, but I think I did it at least once or twice and still was able to spot event names. - Jon _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev