[Zeek] First attempt to upgrade to 3: Multiple interfaces

James Lay jlay at slave-tothe-box.net
Tue Mar 3 17:50:51 PST 2020 

All,

I'm please to report that using zeekctl method of running is so far
working well...resource usage is so far manageable.  Thanks for the
assistance.

James

On Tue, 2020-03-03 at 13:10 -0700, James Lay wrote:
> Appreciate the responses.  These interfaces are an external on the
> internet, and an internal with a localnet (this devices is classified
> as router), so bonding them isn't an option.  The only reason I'm
> running in this manner as apposed to just letting zeekctl handle it
> all is the process count and memory usage.  I guess I'll test out
> zeekctl and see where I sit....might have to fallback to 3.0.  Thank
> you.
> James
> On 2020-03-03 12:42, Steve Smoot wrote:
> On Tue, Mar 3, 2020 at 11:30 AM Tim Wojtulewicz <tim at corelight.com>wr
> ote:
> If you don’t really need the latest and greatest cutting edgechanges
> to 3.1, version 3.0.x still supports multiple interfaces.That feature
> was removed in 3.1 due to the wide changes to the IOLoop
> architecture, and you’re honestly the first user I’ve heardfrom that
> has noticed it missing. It was removed to make that workeasier to
> accomplish, but we can certainly investigate bringing itback if
> there’s enough of a use case for it.
> Another option, I think would be to bond/bridge the interfaces
> andlisten on that.  If that would work for you,
> -s
> Tim
> On Mar 3, 2020, at 12:03 PM, James Lay <jlay at slave-tothe-box.net>wrot
> e:
> 
> Welp...out of luck so far:
> /opt/zeek/bin/zeek -C -i eth0 -i eth1 --filter '<redacted>'
> local"Site::local_nets += { 192.168.1.0/24 [1] }"
> gets me:
> ERROR: Only a single interface option (-i) is allowed.
> I didn't have this issue with 2.  Any reason why only oneinterface is
> allowed now?  Unless something radical has changed with theresources
> that zeekctl uses I have no desire to use it.  I'm dead in thewater
> with Zeek as of now.  Thank you.
> James_______________________________________________Zeek mailing
> listzeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> _______________________________________________Zeek mailing
> listzeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> --
> STEPHEN R. SMOOT, PHDVP, Customer SuccessCorelight
> 
> Links:------[1] 
> http://192.168.1.0/24_______________________________________________Zeek
>  mailing listzeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200303/e3fb8ac8/attachment.html

More information about the Zeek mailing list