After update my Zeek 3.0.7 cluster to 3.0.8, when I try to make “zeekctl deploy” the following error is returned:
checking configurations …
logger scripts failed.
fatal error in /opt/zeek/share/zeek/site/packages/load.zeek, line 4: can’t find ./bro-doctor
manager scripts failed.
fatal error in /opt/zeek/share/zeek/site/packages/load.zeek, line 4: can’t find ./bro-doctor
proxy scripts failed.
fatal error in /opt/zeek/share/zeek/site/packages/load.zeek, line 4: can’t find ./bro-doctor
idps-prod-dmz scripts failed.
fatal error in /opt/zeek/share/zeek/site/packages/load.zeek, line 4: can’t find ./bro-doctor
This error seems to be for 3.0.8, because in 3.0.7 works without problems. Comparing packages.zeek file between 3.0.7 and 3.0.8, there is one difference:
3.0.8:
WARNING: This file is managed by zkg.
Do not make direct modifications here.
@load ./add-node-names
@load ./bro-doctor
@load ./dovehawk
@load ./hassh
@load ./ja3
@load ./zeek-af_packet-plugin
@load ./zeek-community-id
3.0.7:
WARNING: This file is managed by zkg.
Do not make direct modifications here.
@load ./add-node-names
@load ./dovehawk
@load ./hassh
@load ./ja3
@load ./zeek-af_packet-plugin
@load ./zeek-community-id
As you can see there is no an entry for bro-doctor … And it makes sense … In zeek 3.1.4 packages.zeek is configured as in 3.0.7 …
I noticed this error with the af_packet plugin. Looked like zkg added it in to my packages.zeek file where it wasn’t there before (I compared it to another install I hadn’t upgraded yet). When I removed the entry and redeployed, it worked fine.
To clarify, I was going from 3.1.4 to 3.1.5 and I didn’t have bro-doctor installed. The error specifically called out af_packet not being found in /opt/zeek/share/zeek/site/packages/load.zeek.
Weird. I also noticed that af-packet is placed back into my /opt/zeek/share/zeek/site/packages/__load__.zeek file if I run a zkg refresh. But if I stop and try to deploy again with that entry reloaded, I again see the "fatal error in /opt/zeek/share/zeek/site/packages/__load__.zeek, line 10: can't find ./zeek-af_packet-plugin.” Removing it again results in a successful deploy. For reference I’m using zkg 2.2.0.
I haven’t used bro-doctor so I can’t speak specifically to it, only that the issue seems similar. For testing purposes, have you tried uninstalling bro-doctor and seeing if you can deploy Zeek?