Hello Zeek Community,
I have some questions regarding network flow monitoring and Zeek’s performance, especially during high data rates and logging processes:
- Active Sessions:
- Where can I view the current active sessions that Zeek is handling?
- How can I monitor the rate at which new sessions are being generated per second?
- Is there a way to observe the rate at which sessions are being cleaned or closed per second?
- Logging Efficiency:
- During a long run with a consistent high data rate, I noticed that after stopping traffic (e.g., for 1 hour), Zeek’s manager and proxy seem to take additional time for logging.
- Is there any method or calculation to determine how much extra time this process takes?
- I understand the default inactive timeout for TCP is 5 minutes, but I’ve observed it taking longer in some cases. What could cause this, and how can I address it?
- How can I ensure that Zeek has completed logging all data for a given data shot?
- Logging Performance:
- What is the logging ingestion rate for Zeek? Can this rate be measured or monitored?
- Packet Drops:
- Is there any way to detect if the manager or proxy is dropping packets?
I would appreciate any insights, tips, or best practices to address these questions. Thank you in advance for your help!