[Zeek] First attempt to upgrade to 3: Multiple interfaces
James Lay
jlay at slave-tothe-box.net
Tue Mar 3 12:10:38 PST 2020
Appreciate the responses. These interfaces are an external on the
internet, and an internal with a localnet (this devices is classified as
router), so bonding them isn't an option. The only reason I'm running
in this manner as apposed to just letting zeekctl handle it all is the
process count and memory usage. I guess I'll test out zeekctl and see
where I sit....might have to fallback to 3.0. Thank you.
James
On 2020-03-03 12:42, Steve Smoot wrote:
> On Tue, Mar 3, 2020 at 11:30 AM Tim Wojtulewicz <tim at corelight.com>
> wrote:
>
>> If you don’t really need the latest and greatest cutting edge
>> changes to 3.1, version 3.0.x still supports multiple interfaces.
>> That feature was removed in 3.1 due to the wide changes to the IO
>> Loop architecture, and you’re honestly the first user I’ve heard
>> from that has noticed it missing. It was removed to make that work
>> easier to accomplish, but we can certainly investigate bringing it
>> back if there’s enough of a use case for it.
>
> Another option, I think would be to bond/bridge the interfaces and
> listen on that. If that would work for you,
>
> -s
>
>> Tim
>>
>>> On Mar 3, 2020, at 12:03 PM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>>
>>> Welp...out of luck so far:
>>>
>>> /opt/zeek/bin/zeek -C -i eth0 -i eth1 --filter '<redacted>' local
>>> "Site::local_nets += { 192.168.1.0/24 [1] }"
>>>
>>> gets me:
>>>
>>> ERROR: Only a single interface option (-i) is allowed.
>>>
>>> I didn't have this issue with 2. Any reason why only one
>> interface is
>>> allowed now? Unless something radical has changed with the
>> resources
>>> that zeekctl uses I have no desire to use it. I'm dead in the
>> water
>>> with Zeek as of now. Thank you.
>>>
>>> James
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
> --
>
> STEPHEN R. SMOOT, PHD
> VP, Customer Success
> Corelight
>
>
> Links:
> ------
> [1] http://192.168.1.0/24
More information about the Zeek
mailing list