logger in a Zeek's cluster

Palumbo_Mauro · May 17, 2019, 1:36pm

Hi Zeek’s devs,

I have a beginner’s question on the logger process in a Zeek’s ckuster. As far as I realized, the manager and the proxy processes get only some events from the worker(s) using the cluster/broker frameworks. In this way, the manager can for example receive events necessary for doing intel/notice or sumstats for example. The necessary info are carried by the events.

The logger too does receive only a few events from the other nodes using the cluste/broker frameworks, but not those related to logging. How does it get the logging data from the workers? Could anyone point me where in the code this is done?

Thanks,

Mauro

robin · May 17, 2019, 2:24pm

Logging doesn't go through events, it's communicated separately over
Broker through dedicated log messages. You can get statistics for that
through the get_broker_state() function [1]. The returned BrokerStats
record has fields num_logs_incoming and num_logs_outgoing.

Robin

[1] https://docs.zeek.org/en/latest/scripts/base/bif/stats.bif.zeek.html#id-get_broker_stats

Topic		Replies	Views
cluster logger not receive messages from other nodes Zeek	2	138	May 6, 2022
logger node in a cluster Zeek	2	128	May 6, 2022
ZeekCTL log to different directories Zeek	2	252	February 12, 2024
Question regarding distributed clustering with Zeek! Zeek	4	107	May 6, 2022
Logging Issue after upgrade to LTS 5.0.0 Zeek	19	1199	May 9, 2023

logger in a Zeek's cluster

Related topics