I have a clustered deployment of Zeek (v3.0.0) consisting of a manager, a proxy and 16 workers. In notice.log, I see 3 notices for what appears to be a single event. The 3 notices have the same ts, source, destination, IPs, ports, fuids, notes, and msgs but the uid is different for all 3 notices. In addition the ‘peer_descr’ value is different for each, with one being the manager, one the proxy and one the worker.
Any help/guidance on the matter would be greatly appreciated.
What is the notice? What does your node.cfg look like?
node.cfg is as follows:
The notice is SSL::Invalid_Server_Cert
You’ve told the manager and proxy to capture from enp101s0f1… remove those lines and this problem will go away. Also, you should add a logger section.