[Zeek] logger node in a cluster
Johanna Amann
johanna at icir.org
Thu Jun 20 10:33:21 PDT 2019
Hi Mauro,
> I am not sure I am getting it right, but i t seems to me that a Zeek
> logger in a cluster configuration simply sits there waiting for logs
> and then writes them down. Does it do any additional work? For
> example, checking for duplicated logs from workers? If yes, where is
> the code for this additional checks?
You pretty much got it right - the logger currently basically only writes
already preformetted logs out.
It does not do any checking for duplicated log lines, etc. Also - logs are
sent over the wire in a preformatted form so scripts on the logger cacnnot
get access to them anymore.
The reason to have a separate node is that it turns out that writing
huge volumes of logs takes a significant amount of CPU - which led to the
manager (who did this in the past) not being able to keep up with its
other tasks in some cases.
Johanna
More information about the Zeek
mailing list