[Zeek] Two instances of bro on the same host?
James Lay
jlay at slave-tothe-box.net
Mon Nov 25 12:55:24 PST 2019
On 2019-11-25 12:49, Erich M Nahum wrote:
> Howdy,
>
> I have a multi-core machine listening to 8 interfaces with zeek. I'm
> using the kafka plugin to send logs to individual topics (conn, dns,
> http, etc).
>
> I've recently gotten a tap outside the firewall and want to send the
> equivalent logs to different comparable topics (conn-firewall,
> dns-firewall, etc).
>
> I'm currently using zeekctl with multiple workers. What I'm wondering
> is can I use two instances of zeekctl on the same machine, one for
> inside the FW and one for outside.
>
> It's not an option right now to do the outside the FW on a separate
> machine.
>
> Any suggestions?
>
> Thanks,
>
> -Erich
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
I use one bro instance to listen to both internal and external. Set
your filters in your SIEM to internal vs. external networks and you
should be fine.
James
More information about the Zeek
mailing list