Giter Club home page Giter Club logo

bro-doctor's Introduction

Bro Doctor

This plugin provides a "doctor" command for broctl that will help to troubleshoot various common cluster problems.

This plugin runs the following checks:

check_SAD_connections

Checks if many recent connections have a SAD or had history

If any connections have a history that is one sided (all uppercase or all lowercase) this indicates that bro is only seeing half of the connection.

check_capture_loss

Checks for recent capture_loss.log entries

Capture loss should be as low as possible across all workers.

check_capture_loss_conn_pct

Checks what percentage of recent tcp connections show loss

Like capture loss, but instead of reporting on the absolute loss amount, report on the percentage of recent connections show any loss at all.

check_deprecated_scripts

Checks if anything is in the deprecated local-logger.bro, local-manager.bro, local-proxy.bro, or local-worker.bro scripts

Unless you know what you are doing, you should ONLY be using local.bro.

check_duplicate_5_tuples

Checks if any recent connections have been logged multiple times

Each connection should only be logged once. If a connection is logged multiple times, especially once per worker, load balancing is not working properly.

check_connection_distribution

Checks if connections are unevenly distributed across workers

Usually, connections should be distributed evenly across workers. If connections are unevenly distributed, load balancing might be not working properly.

check_local_connections

Checks what percentage of recent tcp connections are remote to remote.

This will detect problems with networks.cfg not listing all subnets that should be considered local.

check_malloc

Checks if bro is linked against a custom malloc like tcmalloc or jemalloc

Bro performs best when using a better malloc than the standard one in glibc.

check_pfring

Checks pf_ring configuration

If bro is configured to use pf_ring, it needs to be linked against it. If bro is linked against pf_ring, it should be using it.

If the bro pf_ring plugin is installed, the interface name should start with pf_ring::

check_reporter

Checks for recent reporter.log entries

If bro is running well, there will be zero reporter.log messages.

Usage

broctl doctor [check] [check]

Examples

Run all checks

broctl doctor

Run just the duplicate check

broctl doctor check_duplicate_5_tuples

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.