Hello,
I have a clustered deployment of Zeek (v3.0.0) consisting of a manager, a proxy and 16 workers. In notice.log, I see 3 notices for what appears to be a single event. The 3 notices have the same ts, source, destination, IPs, ports, fuids, notes, and msgs but the uid is different for all 3 notices. In addition the ‘peer_descr’ value is different for each, with one being the manager, one the proxy and one the worker.
Any help/guidance on the matter would be greatly appreciated.
Best,
What is the notice? What does your node.cfg look like?
node.cfg is as follows:
[manager]
type=manager
host=localhost
interface=enp101s0f1
[proxy-1]
type=proxy
host=localhost
interface=enp101s0f1
[worker-1]
type=worker
host=localhost
interface=enp101s0f1
lb_method=pf_ring
lb_procs=16
pin_cpus=4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
The notice is SSL::Invalid_Server_Cert
You’ve told the manager and proxy to capture from enp101s0f1… remove those lines and this problem will go away. Also, you should add a logger section.