Two instances of bro on the same host?

Erich_M_Nahum · November 25, 2019, 7:49pm

Howdy,

I have a multi-core machine listening to 8 interfaces with zeek. I’m using the kafka plugin to send logs to individual topics (conn, dns, http, etc).

I’ve recently gotten a tap outside the firewall and want to send the equivalent logs to different comparable topics (conn-firewall, dns-firewall, etc).

I’m currently using zeekctl with multiple workers. What I’m wondering is can I use two instances of zeekctl on the same machine, one for inside the FW and one for outside.

It’s not an option right now to do the outside the FW on a separate machine.

Any suggestions?

Thanks,

-Erich

James_inthe_box · November 25, 2019, 8:55pm

I use one bro instance to listen to both internal and external. Set your filters in your SIEM to internal vs. external networks and you should be fine.

James

Topic		Replies	Views
Two instances of bro on the same host? Zeek	2	94	May 6, 2022
Question regarding distributed clustering with Zeek! Zeek	4	109	May 6, 2022
Zeek install monitoring multiple interfaces, need interface in logs Zeek	3	615	May 6, 2022
Kafka Plugin with Zeek Zeek	2	480	May 6, 2022
Running Multiple Copies of Bro Zeek	2	116	May 6, 2022

Two instances of bro on the same host?

Related topics