On Mon, Dec 30, 2024 at 07:53:00PM +0100, Antoine Jacoutot wrote: > On December 30, 2024 5:39:52 PM GMT+01:00, "Jörgen Maas" > <jorgen.m...@gmail.com> wrote: > >Hi there, > > > >I've been trying to get Zeek to work in a very simple cluster setup; the > >problem is that my workers are not able to grab any data and create the > >expected log files. The cluster config is a single node (localhost) and > >monitoring of two interfaces, basically what's in the default node.cfg > >(manager, proxy, logger, 2 x worker). All processes start, and are > >listening on localhost for incoming connections. Testing the connectivity > >with telnet to these ports gets me to a full connection. Nothing is logged > >in stderr.log, i'm a bit puzzled :S > > > >In standalone mode running against a single interface Zeek is working fine. > > > >I'm running PF but have the "set skip lo0" set in /etc/pf.conf. > >Zeek 6.0.5 is from packages on OpenBSD 7.6 / amd64 > >This used to work fine for me "earlier" (older OpenBSD and older version of > >the pkg). > > > >Is anyone out there running this version of Zeek in a cluster setup > >successfully? > > > >Another question is that it seems there's an option to drop privileges but > >this is not provided "out of the box" by the pkg. Has this ever been > >explored yet? > > > >Thanks in advance! > > > >Kind regards, > >Jörgen > > Hi. > > It's a known issue, reported multiple times. > I've looked a few times but wasn't able to find the culprit... :-/ > > I also tried updating to a newer release but failed. We are lacking stuff > available in other OSes. > > If one can find the issue I will put the time into bringing the port up to > date. > > > -- > Antoine >
I've been running zeek on and off on a couple of gateway-devices, and the clustering support in zeek has been working on and off. Currently broken unfortunately. My plan is to instead span interfaces and run non-clustered, but I have not gotten around to it yet. It's not ideal, but I rarely saturate the links anyway, so it will hopefully be a good workaround. Depending on your environment, perhaps that is a solution for your problem as well? /Magnus
