[Zeek] Broker issue when in clustered mode

Andrew Klaus andrew at aklaus.ca
Fri Jun 12 10:31:07 PDT 2020


I have a Zeek script that publishes a couple of different topics using
the Zeek Broker. I've tested this on Zeek 3.1.3. I followed the Python
bindings guide here:
https://docs.zeek.org/projects/broker/en/current/python.html and it
works so long as Zeek isn't in clustered mode. This is my zeek_init():

event zeek_init()
        if (SNIFFPASS::broker_enable)
            Broker::listen("", "9999");

When I try running this in cluster mode on the same machine, it fails.
This is because the manager and workers attempt to listen on the same
IP and Port:

error in main.bro, line 160: Failed to listen on
(Broker::listen(SNIFFPASS::broker_host, SNIFFPASS::broker_port,
fatal error: errors occurred while initializing

I tried moving the Broker::listen to the manager only like this:

event zeek_init()
    if ( Cluster::is_enabled() && Cluster::local_node_type() ==
Cluster::MANAGER ) {
        Broker::listen(SNIFFPASS::broker_host, SNIFFPASS::broker_port);


This now allows Zeek to now successfully start in clustered mode and
my Zeek script runs. My Python script connects to the manager on
localhost:9999 successfully, but doesn't receive any events from the
manager. This is the Python script I'm using for testing:

#!/bin/env python3

import broker
import sys

# Setup endpoint and connect to Zeek.
ep = broker.Endpoint()
sub = ep.make_subscriber("/sniffpass/credentials_seen")
ss = ep.make_status_subscriber(True);
ep.peer("", 9999)

# Wait until connection is established.
st = ss.get()

if not (type(st) == broker.Status and st.code() == broker.SC.PeerAdded):
    print("could not connect")

while True:
    (t, d) = sub.get()
    event = broker.zeek.Event(d)
    print("received {}{}".format(event.name(), event.args()))

I would assume it has to do with the Manager not relaying the messages
from the broker, but I can't quite figure out how to get this working.

My full Zeek script is up here:

Any insight into how to do this properly would be greatly appreciated.

Thanks in advance!

More information about the Zeek mailing list