This plugin provides a "doctor" command for broctl that will help to troubleshoot various common cluster problems.
This plugin runs the following checks:
Checks if many recent connections have a SAD or had history
If any connections have a history that is one sided (all uppercase or all lowercase) this indicates that bro is only seeing half of the connection.
Checks for recent capture_loss.log entries
Capture loss should be as low as possible across all workers.
Checks what percentage of recent tcp connections show loss
Like capture loss, but instead of reporting on the absolute loss amount, report on the percentage of recent connections show any loss at all.
Checks if anything is in the deprecated local-logger.bro, local-manager.bro, local-proxy.bro, or local-worker.bro scripts
Unless you know what you are doing, you should ONLY be using local.bro.
Checks if any recent connections have been logged multiple times
Each connection should only be logged once. If a connection is logged multiple times, especially once per worker, load balancing is not working properly.
Checks if connections are unevenly distributed across workers
Usually, connections should be distributed evenly across workers. If connections are unevenly distributed, load balancing might be not working properly.
Checks what percentage of recent tcp connections are remote to remote.
This will detect problems with networks.cfg not listing all subnets that should be considered local.
Checks if bro is linked against a custom malloc like tcmalloc or jemalloc
Bro performs best when using a better malloc than the standard one in glibc.
Checks pf_ring configuration
If bro is configured to use pf_ring, it needs to be linked against it. If bro is linked against pf_ring, it should be using it.
If the bro pf_ring plugin is installed, the interface name should start with pf_ring::
Checks for recent reporter.log entries
If bro is running well, there will be zero reporter.log messages.
broctl doctor [check] [check]
Run all checks
broctl doctor
Run just the duplicate check
broctl doctor check_duplicate_5_tuples