[Zeek] Manager, Proxy and Worker all logging the same notice to notice.log

Denny Sabu Denny.Sabu at sensato.co
Thu Dec 26 15:01:32 PST 2019 

node.cfg is as follows:

[manager]
type=manager
host=localhost
interface=enp101s0f1

[proxy-1]
type=proxy
host=localhost
interface=enp101s0f1

[worker-1]
type=worker
host=localhost
interface=enp101s0f1
lb_method=pf_ring
lb_procs=16
pin_cpus=4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19

The notice is SSL::Invalid_Server_Cert

Denny Sabu
Software Engineer
Sensato
www.sensato.co<http://www.sensato.co/>
[http://cdn2.hubspot.net/hubfs/184235/dev_images/signature_app/facebook_sig.png]<https://www.facebook.com/SensatoTeam/>  [http://cdn2.hubspot.net/hubfs/184235/dev_images/signature_app/twitter_sig.png] <https://twitter.com/sensatocybersec>   [http://cdn2.hubspot.net/hubfs/184235/dev_images/signature_app/linkedin_sig.png] <https://www.linkedin.com/company/15231342/>
________________________________
From: Justin Azoff <justin at corelight.com>
Sent: Thursday, December 26, 2019 5:01 PM
To: Denny Sabu <Denny.Sabu at sensato.co>
Cc: zeek at zeek.org <zeek at zeek.org>
Subject: Re: [Zeek] Manager, Proxy and Worker all logging the same notice to notice.log

What is the notice?  What does your node.cfg look like?

On Thu, Dec 26, 2019 at 3:44 PM Denny Sabu <Denny.Sabu at sensato.co<mailto:Denny.Sabu at sensato.co>> wrote:
Hello,

I have a clustered deployment of Zeek (v3.0.0) consisting of a manager, a proxy and 16 workers. In notice.log, I see 3 notices for what appears to be a single event. The 3 notices have the same ts, source, destination, IPs, ports, fuids, notes, and msgs but the uid is different for all 3 notices. In addition the  'peer_descr' value is different for each, with one being the manager, one the proxy and one the worker.

Any help/guidance on the matter would be greatly appreciated.

Best,

Denny Sabu
Software Engineer
Sensato
www.sensato.co<http://www.sensato.co/>
[http://cdn2.hubspot.net/hubfs/184235/dev_images/signature_app/facebook_sig.png]<https://www.facebook.com/SensatoTeam/>  [http://cdn2.hubspot.net/hubfs/184235/dev_images/signature_app/twitter_sig.png] <https://twitter.com/sensatocybersec>   [http://cdn2.hubspot.net/hubfs/184235/dev_images/signature_app/linkedin_sig.png] <https://www.linkedin.com/company/15231342/>
_______________________________________________
Zeek mailing list
zeek at zeek.org<mailto:zeek at zeek.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek


--
Justin

[EXTERNAL MESSAGE]: This e-mail was sent from an external source - use caution and vigilance and don't become attacker fodder!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191226/69d8638f/attachment-0001.html

More information about the Zeek mailing list