[Zeek] intel framework, disabling certain feeds to certain workers
Michał Purzyński
michalpurzynski1 at gmail.com
Wed Nov 13 11:55:02 PST 2019
Maybe if you describe your use case we can find something out. I don’t think you have 2GB or actionable intel ;)
There’s also the input framework and the config framework, that can load data. It’s way easier to use the config framework on the 3.x line, as you don’t have to do the cluster magic yourself.
They just give you data so the matching would be on you and your scripts.
>> On Nov 13, 2019, at 10:57 AM, Munroe Sollog <mus3 at lehigh.edu> wrote:
>
> Is there a way to select which intel "files" are sent to particular workers? Perhaps using the aux-script parameter in nodes.cfg?
>
> We are running Bro 2.6.4. We are using two remote workers to collect specific data on much smaller machines. On our main cluster we are trying to load a +2GB file using the intel framework. The main cluster seems to handle this file with no problem. However, it is causing the "specialized" remote workers to crash "out of memory".
>
> I realize I'm not necessarily using the cluster feature as intended, but it has, thus far, been extremely convenient. I would like to not have to create a separate cluster.
>
> Any advice?
>
> --
> Munroe Sollog
> Senior Network Engineer
> munroe at lehigh.edu
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191113/39a5067b/attachment-0001.html
More information about the Zeek
mailing list