[Zeek] Noticing "SumStat key request for the.." in reporter.log Zeek 3.0
Jon Siwek
jsiwek at corelight.com
Fri Dec 6 17:26:43 PST 2019
On Fri, Dec 6, 2019 at 2:06 PM fatema bannatwala
<fatema.bannatwala at gmail.com> wrote:
> I upgraded our external zeek cluster right before ThanksGiving to zeek 3.0, and have started noticing a fair amount of following warnings in reporter.log file:
>
> "SumStat key request for the 7PJNSqZOUs8 SumStat uid took longer than 1 minute and was automatically cancelled."
Did you happen to copy over a previous local.bro that still has "@load
misc/scan" in it? The new local.zeek has that commented out due to it
being frequent cause of performance issues.
> Also, interesting thing is that after the upgrade, generation of software.log file has become pretty sporadic (no software.log file for last one week)..
One reason for that may be if you don't have any proxy nodes in your
cluster config (or they aren't reachable for some reason).
- Jon
More information about the Zeek
mailing list