On Mon, Dec 30, 2024 at 07:53:00PM +0100, Antoine Jacoutot wrote:
> On December 30, 2024 5:39:52 PM GMT+01:00, "Jörgen Maas" <jorgen.maas@gmail.com> wrote:
> >Hi there,
> >
> >I've been trying to get Zeek to work in a very simple cluster setup; the
> >problem is that my workers are not able to grab any data and create the
> >expected log files. The cluster config is a single node (localhost) and
> >monitoring of two interfaces, basically what's in the default node.cfg
> >(manager, proxy, logger, 2 x worker). All processes start, and are
> >listening on localhost for incoming connections. Testing the connectivity
> >with telnet to these ports gets me to a full connection. Nothing is logged
> >in stderr.log, i'm a bit puzzled :S
> >
> >In standalone mode running against a single interface Zeek is working fine.
> >
> >I'm running PF but have the "set skip lo0" set in /etc/pf.conf.
> >Zeek 6.0.5 is from packages on OpenBSD 7.6 / amd64
> >This used to work fine for me "earlier" (older OpenBSD and older version of
> >the pkg).
> >
> >Is anyone out there running this version of Zeek in a cluster setup
> >successfully?
> >
> >Another question is that it seems there's an option to drop privileges but
> >this is not provided "out of the box" by the pkg. Has this ever been
> >explored yet?
> >
> >Thanks in advance!
> >
> >Kind regards,
> >Jörgen
>
> Hi.
>
> It's a known issue, reported multiple times.
> I've looked a few times but wasn't able to find the culprit... :-/
>
> I also tried updating to a newer release but failed. We are lacking stuff available in other OSes.
>
> If one can find the issue I will put the time into bringing the port up to date.
>
>
> --
> Antoine
>
I've been running zeek on and off on a couple of gateway-devices, and the clustering support in zeek
has been working on and off. Currently broken unfortunately.
My plan is to instead span interfaces and run non-clustered, but I have not gotten around to it yet.
It's not ideal, but I rarely saturate the links anyway, so it will hopefully be a good workaround.
Depending on your environment, perhaps that is a solution for your problem as well?
/Magnus
No comments:
Post a Comment