We installed the file extraction package; “zeek/hosom/file-extraction” on our bro server.
We noticed that whenever we load the file extraction package some of the larger logs like conn.log and dns.log stop showing up in splunk (the smaller logs continue to show up in splunk). Once we unload the file extraction package and restart zeek, those logs start flowing into splunk as normal.
We have 128 CPUs on that server. Pinned a total of 90 workers (45 – worker1 and 45 to worker 2).
Is anyone else experiencing any similar issue? Any ideas or thought?
Zeek version we are running is 3.0.3.
Thanks in advance.