<div dir="ltr">I didn't take a close look but I believe this is a known bug. Take a look at <a href="https://github.com/apache/metron-bro-plugin-kafka/pull/40">https://github.com/apache/metron-bro-plugin-kafka/pull/40</a><div><br></div><div>I followed up on that PR to see if we can get it merged.<br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><br>- Jon Zeolla<br>Zeolla@GMail.Com</div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 8, 2020 at 3:40 PM Erich M Nahum <<a href="mailto:nahum@us.ibm.com">nahum@us.ibm.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr" style="font-family:Arial,Helvetica,sans-serif;font-size:10pt"><div dir="ltr">Howdy,</div>
<div dir="ltr"> </div>
<div dir="ltr">I'm currently using the latest kafka package manager on Bro 3.0.2. The plugin is configured to send to two kafka brokers. Unfortunately, it seems to work for some time and then quietly stops sending to the second broker.</div>
<div dir="ltr"> </div>
<div dir="ltr">Here's my zeek config for kafka:</div>
<div dir="ltr"> </div>
<div dir="ltr"><div><span style="font-family:"Courier New",Courier,monospace">@load packages/metron-bro-plugin-kafka<br>redef Kafka::topic_name = "";<br>redef Kafka::kafka_conf = table(<br> ["metadata.broker.list"] = "broker1:9092, broker2:9092"<br>);</span></div>
<div><br><span style="font-family:"Courier New",Courier,monospace">event zeek_init()<br>{<br> local protocol_list = table(<br> ["conn" ] = Conn::LOG,<br> ["dhcp" ] = DHCP::LOG,<br> ["dns" ] = DNS::LOG,<br> ["ftp" ] = <a href="FTP::LOG" target="_blank">FTP::LOG</a>,<br> ["http"] = <a href="HTTP::LOG" target="_blank">HTTP::LOG</a>,<br> ["ssl"] = SSL::LOG,<br> ["x509"] = X509::LOG<br> );</span></div>
<div><span style="font-family:"Courier New",Courier,monospace"> for (proto, log_id in protocol_list ) {<br> local this_filter: Log::Filter = [<br> $name = "kafka-" + proto,<br> $writer = Log::WRITER_KAFKAWRITER,<br> $config = table(<br> ["metadata.broker.list"] = "broker1:9092, broker2:9092"<br> ),<br> $path = proto<br> ];<br> Log::add_filter(log_id, this_filter);<br> }<br>}</span></div>
<div> </div>
<div> </div></div>
<div dir="ltr">Does anyone see anything wrong with my config? It works fine for a single broker.</div>
<div dir="ltr"> </div>
<div dir="ltr">I notice the failure since all the netstat entries disappear for broker2, and it stops receiving data. Broker1 is fine.</div>
<div dir="ltr"> </div>
<div dir="ltr">Thanks,</div>
<div dir="ltr"> </div>
<div dir="ltr">-Erich</div></div><br>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div>