Setup hardware/clusterization for Zeek

I am currently setting up a PoC for my company to implement Zeek as a network security monitor. Unfortunately, I have never done such thing before and because of that my questions will probably be very silly. I have not been able to answer my questions with google. I have two questions:

  1. What baseline data do I need to have to figure out what equipment to buy? All I know is that my network bandwidth could be 10-25 Gbps+. I planned to install Zeek without any advanced configurations or additional plugins, the out of box functions will be enough for me.

  2. I was planning on having everything standalone, but clustering might be a better option. In what cases do I need a clustered setup?

The physical aspect of how the packets get to zeek (or anything else) is pretty important. Is that 10-25Gps an aggregate of multiple connections that you have to merge together or will it come to you via a single optical connection you don’t need to worry about? Even then, keep in mind you may need to combine Tx/Rx. You’ll find that most places use passive optical taps that feed into a tap/agg swtich to combine and load balance the traffic against the tool ports as needed.

Is 10-25Gbps pretty sustained or very bursty? If it’s just spikes, you can probably get by in your proof-of-concept with a single system and then grow to a cluster as necessary.

Unfortunately, the biggest issue you may run into right now is supply chain issues. We can’t seem to get any more of the Intel 10/25G cards we like to use and I believe the last lead time we heard from Arista (a potential tap/agg vendor) is about 10 months.

1 Like

I don’t understand in which scenarios I need clustering.

Is 10-25Gbps pretty sustained or very bursty?

Unfortunately, I can’t tell you right now, the network team themselves does not know exactly.