[Zeek] Two instances of bro on the same host?
kilotao at gmail.com
kilotao at gmail.com
Tue Nov 26 16:11:31 PST 2019
Dockorize bro, you can have as many as you want.
On Tue, Nov 26, 2019, 3:05 PM Erich M Nahum <nahum at us.ibm.com> wrote:
> I figured it out. Two zeek installations (/opt/zeek1, /opt/zeek2), two
> node.cfg files, and most importantly, the second zeekctl.cfg with the port
> changed:
>
> ZeekPort = 48760
>
> instead of the default 47760 port.
>
> I don't know if this is supported, but it seems to work.
>
> -Erich
>
>
> ----- Original message -----
> From: Erich M Nahum/Watson/IBM
> To: zeek at zeek.org
> Cc:
> Subject: Two instances of bro on the same host?
> Date: Mon, Nov 25, 2019 2:49 PM
>
> Howdy,
>
> I have a multi-core machine listening to 8 interfaces with zeek. I'm
> using the kafka plugin to send logs to individual topics (conn, dns, http,
> etc).
>
> I've recently gotten a tap outside the firewall and want to send the
> equivalent logs to different comparable topics (conn-firewall,
> dns-firewall, etc).
>
> I'm currently using zeekctl with multiple workers. What I'm wondering is
> can I use two instances of zeekctl on the same machine, one for inside the
> FW and one for outside.
>
> It's not an option right now to do the outside the FW on a separate
> machine.
>
> Any suggestions?
>
> Thanks,
>
> -Erich
>
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191126/e0257883/attachment.html
More information about the Zeek
mailing list