[Zeek] Cluster configuration zeekctl status hangs

Scot Harris SHARRIS at hollywoodfl.org
Tue Dec 3 06:24:01 PST 2019 

Install Zeek 3.0 on Centos 8.


Have been working through the setup of zeek using two machines in a cluster.

The cluster appears to be working.

I can zeekctl install and zeekctl start the cluster.

On the remote machine I see the workers start up.

On the local machine the services and workers appear to startup.


Remote machine:

zeek     25985     1  0 08:58 ?        00:00:00 /usr/bin/bash /opt/zeek/share/zeekctl/scripts/run-zeek 3 -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-3-2 local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek     25986     1  0 08:58 ?        00:00:00 /usr/bin/bash /opt/zeek/share/zeekctl/scripts/run-zeek 2 -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-3-1 local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek     25990     1  0 08:58 ?        00:00:00 /usr/bin/bash /opt/zeek/share/zeekctl/scripts/run-zeek 4 -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-4-1 local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek     25992     1  0 08:58 ?        00:00:00 /usr/bin/bash /opt/zeek/share/zeekctl/scripts/run-zeek 5 -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-4-2 local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek     26012 25985  9 08:58 ?        00:01:31 /opt/zeek/bin/zeek -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-3-2 local.zee  zeekctl base/frameworks/cluster zeekctl/auto
zeek     26013 25986  9 08:58 ?        00:01:31 /opt/zeek/bin/zeek -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-3-1 local.zee  zeekctl base/frameworks/cluster zeekctl/auto
zeek     26016 25992  9 08:58 ?        00:01:31 /opt/zeek/bin/zeek -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-4-2 local.zee  zeekctl base/frameworks/cluster zeekctl/auto
zeek     26017 25990  9 08:58 ?        00:01:30 /opt/zeek/bin/zeek -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-4-1 local.zee  zeekctl base/frameworks/cluster zeekctl/auto



Local (manager) machine:

zeek      8314     1  0 08:57 ?        00:00:00 /usr/bin/bash /opt/zeek/share/zeekctl/scripts/run-zeek -1 -U .status -p zeekctl -p zeekctl-live -p local -p logger local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek      8320  8314  5 08:57 ?        00:00:58 /opt/zeek/bin/zeek -U .status -p zeekctl -p zeekctl-live -p local -p logger local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek      8361     1  0 08:57 ?        00:00:00 /usr/bin/bash /opt/zeek/share/zeekctl/scripts/run-zeek -1 -U .status -p zeekctl -p zeekctl-live -p local -p manager local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek      8367  8361  5 08:57 ?        00:00:59 /opt/zeek/bin/zeek -U .status -p zeekctl -p zeekctl-live -p local -p manager local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek      8406     1  0 08:58 ?        00:00:00 /usr/bin/bash /opt/zeek/share/zeekctl/scripts/run-zeek -1 -U .status -p zeekctl -p zeekctl-live -p local -p proxy-1 local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek      8412  8406  1 08:58 ?        00:00:21 /opt/zeek/bin/zeek -U .status -p zeekctl -p zeekctl-live -p local -p proxy-1 local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek      8471     1  0 08:58 ?        00:00:00 /usr/bin/bash /opt/zeek/share/zeekctl/scripts/run-zeek 2 -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-1-1 local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek      8474     1  0 08:58 ?        00:00:00 /usr/bin/bash /opt/zeek/share/zeekctl/scripts/run-zeek 3 -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-1-2 local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek      8477     1  0 08:58 ?        00:00:00 /usr/bin/bash /opt/zeek/share/zeekctl/scripts/run-zeek 5 -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-2-2 local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek      8479     1  0 08:58 ?        00:00:00 /usr/bin/bash /opt/zeek/share/zeekctl/scripts/run-zeek 4 -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-2-1 local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek      8499  8471 17 08:58 ?        00:03:09 /opt/zeek/bin/zeek -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-1-1 local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek      8502  8474 21 08:58 ?        00:03:47 /opt/zeek/bin/zeek -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-1-2 local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek      8503  8477 17 08:58 ?        00:03:09 /opt/zeek/bin/zeek -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-2-2 local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek      8504  8479 18 08:58 ?        00:03:17 /opt/zeek/bin/zeek -i af_packet::eno1 -U .status -p zeekctl -p zeekctl-live -p local -p worker-2-1 local.zeek zeekctl base/frameworks/cluster zeekctl/auto
zeek      8593  3011  6 08:58 pts/0    00:01:04 /usr/bin/python3.6 /opt/zeek/bin/zeekctl status




The problem is that when I run zeekctl status that request hangs:



[zeek at heimdallr etc]$ zeekctl status

Warning: ZeekControl plugin uses legacy BroControl API. Use
'import ZeekControl.plugin' instead of 'import BroControl.plugin'

Getting process status ...
Getting peer status ...




Only way to resolve this is to kill process 8593.

Any ideas on why this is hanging?





Secondary problem with a work around available:

Also have to follow the following steps for the cluster to work.


1.       zeekctl install

2.       setcap cap_net_raw=eip /opt/zeek/bin/zeek    (on the remote peer)

3.       zeekctl start

Attempts to use zeekctl deploy does not work as the setcap command needs to be run on the remote peer after the install is completed.

Running zeek 3.0.


__________________________________________
Scot Harris
Network Engineer
City of Hollywood
Information Technology

P.O. Box 229045
Hollywood, FL 33022-9045
Office: 954-921-3304
E-mail: SHARRIS at hollywoodfl.org
[www.hollywoodfl.org]
Notice: Florida has a broad public records law. All correspondence sent to the City of Hollywood via e-mail may be subject to disclosure as a matter of public record.
__________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191203/68c47ee5/attachment-0001.html

More information about the Zeek mailing list