Question regarding distributed clustering with Zeek!

Zeek
1

Hi All,

Currently we are monitoring the north-south traffic using Zeek cluster (with a manager/logger system and 4 dedicated systems running as workers), and recently we managed to get approval of monitoring some of the east-west traffic with Zeek as well (Yay).
And we want the logs corresponding to the internal (east-west) traffic monitoring to be logged separately than the logs of north-south traffic (current Zeek deployment).
Therefore wanted to ask if multiple managers (two potentially) can be setup on a single system for two separate Zeek clusters (internal and external)?

Or does Zeek yet support distributed clustering?

Any thoughts? or better way to achieve the same?

Thanks,
Fatema.

2

Don't think it's that sophisticated at the moment. You might get what
you want if a single Bro/BroControl install had the ability to let a
user dynamically choose which config file to use and then you can set
up two different cluster configs on the same system (it's probably not
too difficult to patch/hack in if you are desperate). Otherwise, I
imagine a crude, but working solution is to have two installations on
the same system using a different --prefix: they'd then have different
config files and log dirs by default. There's also the matter of
setting BroPort in each broctl.cfg far enough away from each other
such that there's no port conflicts.

- Jon

3

I’d approach it by modifying the logging system. With a little work you could tag workers in node.cfg with “logging=north-south” or “logging=east-west” and then modify the bro logging script to decide where incoming logs should go based on that tag.

-L

4

Hey Jon,

Thanks for the insights!
Makes sense, that’s what I was wondering, that I can run a second manager from another install with a different prefix on the same server,
have done that before but only for testing purposes, and just wanted to make sure to ask the experts, if there’s any other way, before moving with that idea for production. :slight_smile:
Also, for the same purpose, I was checking the ports currently in use on manager and looks like it is using two ports currently to communicate with the worker systems:

On manager: $ netstat | grep bro | cut -d’:’ -f2 | cut -d’ ’ -f1 | sort | uniq -c | sort -rn
92 47762
92 47761

And top showing two manager and logger processes running, hmm that’s why using two ports?

$ top
top - 12:40:10 up 5 days, 20:37, 2 users, load average: 1.72, 1.78, 1.90
Tasks: 453 total, 5 running, 448 sleeping, 0 stopped, 0 zombie
%Cpu(s): 5.4 us, 2.7 sy, 1.0 ni, 90.6 id, 0.2 wa, 0.0 hi, 0.1 si, 0.0 st
KiB Mem : 10697342+total, 1324448 free, 16529272 used, 89119696 buff/cache
KiB Swap: 8388600 total, 8388600 free, 0 used. 89549296 avail Mem

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
26511 bro 20 0 366.9g 13.1g 7668 R 75.6 12.8 5710:39 /usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
26552 bro 25 5 2671796 455148 1288 R 72.9 0.4 7010:04 /usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto
26465 bro 20 0 1092876 316760 7364 R 54.5 0.3 3294:08 /usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local -p logger local.bro broctl base/frameworks/cluster local-logger.bro broctl/auto
26484 bro 25 5 543848 433868 1260 S 19.1 0.4 1058:57 /usr/local/bro/2.5.4/bin/bro -U .status -p broctl -p broctl-live -p local -p logger local.bro broctl base/frameworks/cluster local-logger.bro broctl/auto