Hello,
We set up and operate two interfaces on one zeek host.
By integrating two interfaces, it is burdensome to classify logs.
What should I do if I want to generate logs in different paths for different interfaces?
When I was running 2 instances on one zeek host, Logger was failing to run properly due to port duplication running issues.
It might be easier to sort out the port conflict(s). Are you using zeekctl or setting up clusters by hand?
Otherwise, if you have the interface name available within Zeek scripting you can use the path_func for logging filters and prefix the paths with the interface name [1].
@JustinAzoff (or someone else) - do you maybe have a canned solution for this? Know an easy way to get the monitoring interface name outside of of using zeek_args() trickery, using zeek interfaces="eth0" or setting an environment variable and using getenv()?
The easiest way to do different things on different workers is to use the SitePolicyScripts option to load a different set of scripts on each process, instead of everything just loading local.zeek. You could use a script that sets up a log extension callback to add interface specific fields to each log.
You could probably do it by parsing the arguments to pull out the interface, but just setting SitePolicyScripts to local.zeek eth0.zeek or local.zeek eth1.zeek is a lot simpler.
You can fix the logger port conflict by setting ZeekPort to something different in each install, otherwise all of the processes in each cluster will use exactly the same ports.
How can I change the logger port while installing zeek?
Are there any port change options available for the zeek install command?
Thanks for your kind reply.