[Zeek] Anyone using Bro doctor plugin?
Carlos Lopez
clopmz at outlook.com
Fri Mar 27 11:02:08 PDT 2020
Hi Justin,
Same problem:
################################################
# Checking for recent capture_loss.log entries #
################################################
error: Traceback (most recent call last):
File "/usr/lib64/python3.6/cmd.py", line 214, in onecmd
func = getattr(self, 'do_' + cmd)
AttributeError: 'ZeekCtlCmdLoop' object has no attribute 'do_doctor'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line 596, in cmd_custom
results.ok = f() and results.ok
File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line 274, in check_capture_loss
for rec in read_bro_logs_with_line_limit(reversed(files), 10000):
File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line 141, in read_bro_logs_with_line_limit
for rec in read_bro_log(f):
File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line 131, in read_bro_log
raise Exception("Unknown bro log type for file {}, first line: {!r}".format(filename, f.readline().strip()))
Exception: Unknown bro log type for file /nsm/zeek/logs/2020-03-26/capture_loss.16:00:00-16:06:17.log.gz, first line: b'"ts":"2020-03-26T16:06:11.983538Z","ts_delta":529.7351248264313,"peer":"worker-2","gaps":0,"acks":7,"percent_lost":0.0}'
My installed packages are:
zeek/corelight/bro-community-id (installed: 1.2) - "Community ID" flow hash support in conn.log
zeek/j-gras/add-node-names (installed: 2.0.0) - Adds cluster node name to logs.
zeek/j-gras/zeek-af_packet-plugin (installed: 2.0.0) - This plugin provides native AF_Packet support for Zeek.
zeek/ncsa/bro-doctor (installed: 2.0.3) - A broctl plugin that helps you troubleshoot common problems For cluster-related checks, the package "add-node-names" is recommended.
zeek/salesforce/hassh (installed: master) - HASSH is used to identify specific Client and Server SSH implementations.
zeek/salesforce/ja3 (installed: master) - JA3 creates 32 character SSL client fingerprints and logs them as a field in ssl.log.
--
Regards,
C. L. Martinez
On 27/03/2020, 16:32, "Justin Azoff" <justin at corelight.com> wrote:
Sorry about that, I just pushed 2.0.3 that fixes that issue.
On Tue, Mar 24, 2020 at 5:47 AM Carlos Lopez <clopmz at outlook.com> wrote:
>
> Hi all,
>
>
>
> I have enable bro doctor plugin in my Zeek 3.0.3 cluster and I see the following error:
>
>
>
> ###################################################################
>
> # Checking if connections are unevenly distributed across workers #
>
> ###################################################################
>
> error: Traceback (most recent call last):
>
> File "/usr/lib64/python3.6/cmd.py", line 214, in onecmd
>
> func = getattr(self, 'do_' + cmd)
>
> AttributeError: 'ZeekCtlCmdLoop' object has no attribute 'do_doctor'
>
>
>
> During handling of the above exception, another exception occurred:
>
>
>
> Traceback (most recent call last):
>
> File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line 596, in cmd_custom
>
> results.ok = f() and results.ok
>
> File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line 457, in check_connection_distribution
>
> variance = reduce(lambda var, cnt: var + (cnt - mean)**2, nodes.values(), 0) / len(nodes)
>
> NameError: name 'reduce' is not defined
>
>
>
> All other doctor options works ok, but not this one … Is it a bug? Do I need to install some other python module? Zeek is running as unprivileged user …
>
>
>
> --
>
> Regards,
>
> C. L. Martinez
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Justin
More information about the Zeek
mailing list