[Zeek] Cluster configuration zeekctl status hangs
Justin Azoff
justin at corelight.com
Tue Dec 3 06:55:41 PST 2019
On Tue, Dec 3, 2019 at 9:28 AM Scot Harris <SHARRIS at hollywoodfl.org> wrote:
>
>
>
> The problem is that when I run zeekctl status that request hangs:
>
>
>
>
>
>
>
> [zeek at heimdallr etc]$ zeekctl status
>
>
>
> Warning: ZeekControl plugin uses legacy BroControl API. Use
>
> 'import ZeekControl.plugin' instead of 'import BroControl.plugin'
>
>
>
> Getting process status ...
>
> Getting peer status ...
>
>
>
> Only way to resolve this is to kill process 8593.
>
>
>
> Any ideas on why this is hanging?
>
Odd that it's even doing that.. did you change this option in zeekctl.cfg?
# Show all output of the zeekctl status command. If set to 1, then all
output
# is shown. If set to 0, then zeekctl status will not collect or show the
peer
# information (and the command will run faster).
StatusCmdShowAll = 0
The default is to skip the "peer status" stuff, which causes zeekctl to
connect to each worker on the broker port. You may have firewall rules or
something preventing this from working. Does the zeekctl netstats command
also hang?
>
>
> Secondary problem with a work around available:
>
>
>
> Also have to follow the following steps for the cluster to work.
>
>
>
> 1. zeekctl install
>
> 2. setcap cap_net_raw=eip /opt/zeek/bin/zeek (on the remote peer)
>
> 3. zeekctl start
>
>
>
> Attempts to use zeekctl deploy does not work as the setcap command needs
> to be run on the remote peer after the install is completed.
>
This should do what you want: https://github.com/PingTrip/broctl-setcap
--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191203/e046ab46/attachment.html
More information about the Zeek
mailing list