[Zeek] [EXT]Re: Cluster configuration zeekctl status hangs

Scot Harris SHARRIS at hollywoodfl.org
Tue Dec 3 08:27:57 PST 2019 

Justin,

Was able to get that setcap script to work.

Required editing to get paths correct and remove extras that were not required.

But it does work now!

Thank you.



From: zeek-bounces at zeek.org [mailto:zeek-bounces at zeek.org] On Behalf Of Scot Harris
Sent: Tuesday, December 3, 2019 10:29 AM
To: Justin Azoff <justin at corelight.com>
Cc: zeek at zeek.org
Subject: Re: [Zeek] [EXT]Re: Cluster configuration zeekctl status hangs

Justin,

That option did resolve the status problem I was seeing.

What peer data is it trying to pull that causes it to hang?

Now get the expected results:

[zeek at heimdallr etc]$ zeekctl status

Warning: ZeekControl plugin uses legacy BroControl API. Use
'import ZeekControl.plugin' instead of 'import BroControl.plugin'

Name         Type    Host             Status    Pid    Started
logger       logger  10.1.1.15        running   18323  03 Dec 10:26:15
manager      manager 10.1.1.15        running   18370  03 Dec 10:26:16
proxy-1      proxy   10.1.1.15        running   18415  03 Dec 10:26:17
worker-1-1   worker  10.1.1.15        running   18505  03 Dec 10:26:19
worker-1-2   worker  10.1.1.15        running   18501  03 Dec 10:26:19
worker-2-1   worker  10.1.1.15        running   18506  03 Dec 10:26:19
worker-2-2   worker  10.1.1.15        running   18507  03 Dec 10:26:19
worker-3-1   worker  10.1.7.186       running   28032  03 Dec 10:26:19
worker-3-2   worker  10.1.7.186       running   28033  03 Dec 10:26:19
worker-4-1   worker  10.1.7.186       running   28035  03 Dec 10:26:19
worker-4-2   worker  10.1.7.186       running   28036  03 Dec 10:26:19


Will try the other fix shortly.

Thank you!

Scot

From: Justin Azoff [mailto:justin at corelight.com]
Sent: Tuesday, December 3, 2019 9:56 AM
To: Scot Harris <SHARRIS at hollywoodfl.org<mailto:SHARRIS at hollywoodfl.org>>
Cc: zeek at zeek.org<mailto:zeek at zeek.org>
Subject: [EXT]Re: [Zeek] Cluster configuration zeekctl status hangs

On Tue, Dec 3, 2019 at 9:28 AM Scot Harris <SHARRIS at hollywoodfl.org<mailto:SHARRIS at hollywoodfl.org>> wrote:


The problem is that when I run zeekctl status that request hangs:



[zeek at heimdallr etc]$ zeekctl status

Warning: ZeekControl plugin uses legacy BroControl API. Use
'import ZeekControl.plugin' instead of 'import BroControl.plugin'

Getting process status ...
Getting peer status ...

Only way to resolve this is to kill process 8593.

Any ideas on why this is hanging?

Odd that it's even doing that.. did you change this option in zeekctl.cfg?

# Show all output of the zeekctl status command.  If set to 1, then all output
# is shown.  If set to 0, then zeekctl status will not collect or show the peer
# information (and the command will run faster).
StatusCmdShowAll = 0

The default is to skip the "peer status" stuff, which causes zeekctl to connect to each worker on the broker port.  You may have firewall rules or something preventing this from working.  Does the zeekctl netstats command also hang?



Secondary problem with a work around available:

Also have to follow the following steps for the cluster to work.


1.       zeekctl install

2.       setcap cap_net_raw=eip /opt/zeek/bin/zeek    (on the remote peer)

3.       zeekctl start

Attempts to use zeekctl deploy does not work as the setcap command needs to be run on the remote peer after the install is completed.

This should do what you want: https://github.com/PingTrip/broctl-setcap


--
Justin
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

__________________________________________
Scot Harris
Network Engineer
City of Hollywood
Information Technology

P.O. Box 229045
Hollywood, FL 33022-9045
Office: 954-921-3304
E-mail: SHARRIS at hollywoodfl.org<mailto:SHARRIS at hollywoodfl.org>
[www.hollywoodfl.org]
Notice: Florida has a broad public records law. All correspondence sent to the City of Hollywood via e-mail may be subject to disclosure as a matter of public record.
__________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191203/beb03e68/attachment-0001.html

More information about the Zeek mailing list