Hello Zeek community:
I am new to this list and would like help debugging a connection from Zeek 3.0.1 to a machine running a broker python application. Broker is locally compiled version 1.2.4. This setup used to work, but now we have upgraded to 3.0.1 and it is no longer working.
The symptoms are that Zeek is connecting and disconnecting from the machine running Broker. I am guessing it is a version miss match but I do not know how to diagnose this. (If there are logs, I don't know where they might be.) Any hints would be appreciated.
Thanks in advance.
Sincerely
Jim
'
James,
While I haven’t specifically tried to debug a situation such as yours, this may be an avenue to try if you’re building zeek from source:
- Add –enable-debug to your configure flags.
2) Then you can run zeek with “-B broker” either on the command line or by adding that to ZeekArgs in zeekctl.cfg.
3) Now you should see debug.log getting created.
-Dop
Thanks! Will give that a try!
Jim
to matching versions? Zeek 3.0.1 does use Broker 1.2.4 and if the
Python application is also on Broker 1.2.4, that should work. There
is indeed potential for version mismatches and only recent development
versions help report debug logs and that situation better, so you
might need to do some more crude troubleshooting steps, like starting
from scratch with some smaller toy scripts like this one:
https://docs.zeek.org/projects/broker/en/stable/python.html#exchanging-zeek-events
See if you get it working within a single host, then both hosts, then
add more complexity to make it more similar to the actual scripts that
you found are broken. If it breaks along the way, you've at least
narrowed it down to something we can try to reproduce and troubleshoot
with you.
Also was thinking if you suspect a version mismatch, it could matter
how you are building Zeek/Broker. If you use the git repository, and
forget to update git submodules you could accidentally end up with
mismatched Zeek, Broker, or CAF (internal Broker dependency) versions.
- Jon