Hi Zeek-devs,
I am not sure I am getting it right, but i t seems to me that a Zeek logger in a cluster configuration simply sits there waiting for logs and then writes them down. Does it do any additional work? For example, checking for duplicated logs from workers? If yes, where is the code for this additional checks?
Mauro
Hi Mauro,
I am not sure I am getting it right, but i t seems to me that a Zeek
logger in a cluster configuration simply sits there waiting for logs
and then writes them down. Does it do any additional work? For
example, checking for duplicated logs from workers? If yes, where is
the code for this additional checks?
You pretty much got it right - the logger currently basically only writes
already preformetted logs out.
It does not do any checking for duplicated log lines, etc. Also - logs are
sent over the wire in a preformatted form so scripts on the logger cacnnot
get access to them anymore.
The reason to have a separate node is that it turns out that writing
huge volumes of logs takes a significant amount of CPU - which led to the
manager (who did this in the past) not being able to keep up with its
other tasks in some cases.
Johanna