[Zeek] Question regarding distributed clustering with Zeek!

fatema bannatwala fatema.bannatwala at gmail.com
Tue Jan 22 13:19:28 PST 2019


Hey Jon,

Thanks for the insights!
Makes sense, that's what I was wondering, that I can run a second manager
from another install with a different prefix on the same server,
have done that before but only for testing purposes, and just wanted to
make sure to ask the experts, if there's any other way, before moving with
that idea for production. :)
Also, for the same purpose, I was checking the ports currently in use on
manager and looks like it is using two ports currently to communicate with
the worker systems:

On manager: $ netstat | grep bro | cut -d':' -f2 | cut -d' ' -f1 | sort |
uniq -c | sort -rn
     92 47762
     92 47761

And top showing two manager and logger processes running, hmm that's why
using two ports?

$ top
top - 12:40:10 up 5 days, 20:37,  2 users,  load average: 1.72, 1.78, 1.90
Tasks: 453 total,   5 running, 448 sleeping,   0 stopped,   0 zombie
%Cpu(s):  5.4 us,  2.7 sy,  1.0 ni, 90.6 id,  0.2 wa,  0.0 hi,  0.1 si,
0.0 st
KiB Mem : 10697342+total,  1324448 free, 16529272 used, 89119696 buff/cache
KiB Swap:  8388600 total,  8388600 free,        0 used. 89549296 avail Mem

   PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
 26511 bro       20   0  366.9g  13.1g   7668 R  75.6 12.8   5710:39
/usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local
-p manager local.bro broctl base/frameworks/cluster local-manager.bro
broctl/auto
 26552 bro       25   5 2671796 455148   1288 R  72.9  0.4   7010:04
/usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local
-p manager local.bro broctl base/frameworks/cluster local-manager.bro
broctl/auto
 26465 bro       20   0 1092876 316760   7364 R  54.5  0.3   3294:08
/usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local
-p logger local.bro broctl base/frameworks/cluster local-logger.bro
broctl/auto
 26484 bro       25   5  543848 433868   1260 S  19.1  0.4   1058:57
/usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local
-p logger local.bro broctl base/frameworks/cluster local-logger.bro
broctl/auto

On Tue, Jan 22, 2019 at 2:49 PM Jon Siwek <jsiwek at corelight.com> wrote:

> On Tue, Jan 22, 2019 at 11:20 AM fatema bannatwala
> <fatema.bannatwala at gmail.com> wrote:
>
> > Therefore wanted to ask if multiple managers (two potentially) can be
> setup on a single system for two separate Zeek clusters (internal and
> external)?
> >
> > Or does Zeek yet support distributed clustering?
>
> Don't think it's that sophisticated at the moment.  You might get what
> you want if a single Bro/BroControl install had the ability to let a
> user dynamically choose which config file to use and then you can set
> up two different cluster configs on the same system (it's probably not
> too difficult to patch/hack in if you are desperate).  Otherwise, I
> imagine a crude, but working solution is to have two installations on
> the same system using a different --prefix: they'd then have different
> config files and log dirs by default.  There's also the matter of
> setting BroPort in each broctl.cfg far enough away from each other
> such that there's no port conflicts.
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190122/339dc136/attachment.html 


More information about the Zeek mailing list