[Zeek] Manager, Proxy and Worker all logging the same notice to notice.log

Justin Azoff justin at corelight.com
Thu Dec 26 14:01:52 PST 2019


What is the notice?  What does your node.cfg look like?

On Thu, Dec 26, 2019 at 3:44 PM Denny Sabu <Denny.Sabu at sensato.co> wrote:

> Hello,
>
> I have a clustered deployment of Zeek (v3.0.0) consisting of a manager, a
> proxy and 16 workers. In notice.log, I see 3 notices for what appears to be
> a single event. The 3 notices have the same ts, source, destination, IPs,
> ports, fuids, notes, and msgs but the uid is different for all 3 notices.
> In addition the  'peer_descr' value is different for each, with one being
> the manager, one the proxy and one the worker.
>
> Any help/guidance on the matter would be greatly appreciated.
>
> Best,
>
> Denny Sabu
> *Software Engineer*
> *Sensato*
> www.sensato.co
> <https://www.facebook.com/SensatoTeam/>
> <https://twitter.com/sensatocybersec>
> <https://www.linkedin.com/company/15231342/>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191226/d31cfc69/attachment.html 


More information about the Zeek mailing list