[Zeek] Install Bro as a non-root user

Nick Skelsey nskelsey at gmail.com
Wed Jun 19 05:16:37 PDT 2019


Hi Merril,

To address the first issue maybe you need to ensure that the user executing
the bro process can read and write to /usr/local/bro/logs and
/usr/local/bro/spool/

For the second issue, If you running a newer version of linux you can get
around the packet capture permission issue by giving the bro binary the
capability to perform a raw packet capture with a command like:

> sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bro/bin/zeek

Good luck,
  Nick

On Wed, Jun 19, 2019 at 1:59 PM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi all,
>
> Is there a way to install Bro as a non-root user? Everything works fine if
> its installed as root but I had problems sending Bro logs to logstash as a
> non-root user.
>
> When I tried to install as a regular user with sudo privilege, I noticed
> two errors mainly.
>
> 1) Error: unable to open database file: /usr/local/bro/spool/state.db
> 2) fatal error: /opt/bro/bin/bro: problem with interface eth0 -
> pcap_open_live: eth0: You don't have permission to capture on that device
> (socket: Operation not permitted)
>
> Any idea where to go next for me?
>
> Kind regards,
> Merril.
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190619/76366638/attachment.html 


More information about the Zeek mailing list