[Zeek] Anyone using Bro doctor plugin?

Justin Azoff justin at corelight.com
Sat Mar 28 10:17:22 PDT 2020 

Gah, looks like there are still some stupid python3 issues.  I could have
sworn I fixed all of those a while back.. Must have been in a branch I
never finished.

Changing the "{" to b"{" in read_bro_log should fix that immediate issue.

I'll see about getting this fixed and tested better this weekend.

On Friday, March 27, 2020, Carlos Lopez <clopmz at outlook.com> wrote:

> And errors appears with reporter also:
>
> ############################################
> # Checking for recent reporter.log entries #
> ############################################
> error: Found 2 reporter log files in the past 7 days
> Recent reporter.log messages:
> error: Traceback (most recent call last):
>   File "/usr/lib64/python3.6/cmd.py", line 214, in onecmd
>     func = getattr(self, 'do_' + cmd)
> AttributeError: 'ZeekCtlCmdLoop' object has no attribute 'do_doctor'
>
> During handling of the above exception, another exception occurred:
>
> Traceback (most recent call last):
>   File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line
> 596, in cmd_custom
>     results.ok = f() and results.ok
>   File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line
> 242, in check_reporter
>     for rec in read_bro_logs_with_line_limit(reversed(files), 1000):
>   File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line
> 141, in read_bro_logs_with_line_limit
>     for rec in read_bro_log(f):
>   File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py", line
> 131, in read_bro_log
>     raise Exception("Unknown bro log type for file {}, first line:
> {!r}".format(filename, f.readline().strip()))
> Exception: Unknown bro log type for file /nsm/zeek/logs/2020-03-26/
> reporter.16:06:11-16:06:17.log.gz, first line:
> b'"ts":"2020-03-26T16:06:11.983538Z","level":"Reporter::INFO","message":"received
> termination signal","location":""}'
>
> --
> Regards,
> C. L. Martinez
>
> On 27/03/2020, 19:05, "zeek-bounces at zeek.org on behalf of Carlos Lopez" <
> zeek-bounces at zeek.org on behalf of clopmz at outlook.com> wrote:
>
>     Hi Justin,
>
>      Same problem:
>
>     ################################################
>     # Checking for recent capture_loss.log entries #
>     ################################################
>     error: Traceback (most recent call last):
>       File "/usr/lib64/python3.6/cmd.py", line 214, in onecmd
>         func = getattr(self, 'do_' + cmd)
>     AttributeError: 'ZeekCtlCmdLoop' object has no attribute 'do_doctor'
>
>     During handling of the above exception, another exception occurred:
>
>     Traceback (most recent call last):
>       File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py",
> line 596, in cmd_custom
>         results.ok = f() and results.ok
>       File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py",
> line 274, in check_capture_loss
>         for rec in read_bro_logs_with_line_limit(reversed(files), 10000):
>       File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py",
> line 141, in read_bro_logs_with_line_limit
>         for rec in read_bro_log(f):
>       File "/opt/zeek/lib/zeek/plugins/packages/bro-doctor/doctor.py",
> line 131, in read_bro_log
>         raise Exception("Unknown bro log type for file {}, first line:
> {!r}".format(filename, f.readline().strip()))
>     Exception: Unknown bro log type for file /nsm/zeek/logs/2020-03-26/
> capture_loss.16:00:00-16:06:17.log.gz, first line:
> b'"ts":"2020-03-26T16:06:11.983538Z","ts_delta":529.
> 7351248264313,"peer":"worker-2","gaps":0,"acks":7,"percent_lost":0.0}'
>
>     My installed packages are:
>
>     zeek/corelight/bro-community-id (installed: 1.2) - "Community ID"
> flow hash support in conn.log
>     zeek/j-gras/add-node-names (installed: 2.0.0) - Adds cluster node name
> to logs.
>     zeek/j-gras/zeek-af_packet-plugin (installed: 2.0.0) - This plugin
> provides native AF_Packet support for Zeek.
>     zeek/ncsa/bro-doctor (installed: 2.0.3) - A broctl plugin that helps
> you troubleshoot common problems For cluster-related checks, the package
> "add-node-names" is recommended.
>     zeek/salesforce/hassh (installed: master) - HASSH is used to identify
> specific Client and Server SSH implementations.
>     zeek/salesforce/ja3 (installed: master) - JA3 creates 32 character SSL
> client fingerprints and logs them as a field in ssl.log.
>
>     --
>     Regards,
>     C. L. Martinez
>
>     On 27/03/2020, 16:32, "Justin Azoff" <justin at corelight.com> wrote:
>
>         Sorry about that,  I just pushed 2.0.3 that fixes that issue.
>
>         On Tue, Mar 24, 2020 at 5:47 AM Carlos Lopez <clopmz at outlook.com>
> wrote:
>         >
>         > Hi all,
>         >
>         >
>         >
>         > I have enable bro doctor plugin in my Zeek 3.0.3 cluster and I
> see the following error:
>         >
>         >
>         >
>         > ############################################################
> #######
>         >
>         > # Checking if connections are unevenly distributed across
> workers #
>         >
>         > ############################################################
> #######
>         >
>         > error: Traceback (most recent call last):
>         >
>         >   File "/usr/lib64/python3.6/cmd.py", line 214, in onecmd
>         >
>         >     func = getattr(self, 'do_' + cmd)
>         >
>         > AttributeError: 'ZeekCtlCmdLoop' object has no attribute
> 'do_doctor'
>         >
>         >
>         >
>         > During handling of the above exception, another exception
> occurred:
>         >
>         >
>         >
>         > Traceback (most recent call last):
>         >
>         >   File "/opt/zeek/lib/zeek/plugins/
> packages/bro-doctor/doctor.py", line 596, in cmd_custom
>         >
>         >     results.ok = f() and results.ok
>         >
>         >   File "/opt/zeek/lib/zeek/plugins/
> packages/bro-doctor/doctor.py", line 457, in check_connection_distribution
>         >
>         >     variance = reduce(lambda var, cnt: var + (cnt - mean)**2,
> nodes.values(), 0) / len(nodes)
>         >
>         > NameError: name 'reduce' is not defined
>         >
>         >
>         >
>         > All other doctor options works ok, but not this one … Is it a
> bug? Do I need to install some other python module? Zeek is running as
> unprivileged user …
>         >
>         >
>         >
>         > --
>         >
>         > Regards,
>         >
>         > C. L. Martinez
>         >
>         > _______________________________________________
>         > Zeek mailing list
>         > zeek at zeek.org
>         > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
>         --
>         Justin
>
>
>
>     _______________________________________________
>     Zeek mailing list
>     zeek at zeek.org
>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200328/8bae3835/attachment.html

More information about the Zeek mailing list