[Zeek] Manager, Proxy and Worker all logging the same notice to notice.log

Denny Sabu Denny.Sabu at sensato.co
Thu Dec 26 12:42:07 PST 2019


Hello,

I have a clustered deployment of Zeek (v3.0.0) consisting of a manager, a proxy and 16 workers. In notice.log, I see 3 notices for what appears to be a single event. The 3 notices have the same ts, source, destination, IPs, ports, fuids, notes, and msgs but the uid is different for all 3 notices. In addition the  'peer_descr' value is different for each, with one being the manager, one the proxy and one the worker.

Any help/guidance on the matter would be greatly appreciated.

Best,

Denny Sabu
Software Engineer
Sensato
www.sensato.co<http://www.sensato.co/>
[http://cdn2.hubspot.net/hubfs/184235/dev_images/signature_app/facebook_sig.png]<https://www.facebook.com/SensatoTeam/>  [http://cdn2.hubspot.net/hubfs/184235/dev_images/signature_app/twitter_sig.png] <https://twitter.com/sensatocybersec>   [http://cdn2.hubspot.net/hubfs/184235/dev_images/signature_app/linkedin_sig.png] <https://www.linkedin.com/company/15231342/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191226/42f30ef0/attachment.html 


More information about the Zeek mailing list