Zeek Cluster with VM

mvasuraja · April 26, 2023, 9:25am

Hello All,

I am using a Ubuntu Physical machine with IP 10.180.7.188. I have installed Zeek on this machine. This is what I intend to use as the Manager, logger etc.

I have Ubuntu installed on Virtual Machine (using virtualbox) with IP 10.180.5.188. I want to collect logs from this machine, hence I decided to use this as the worker machine. On running

zeekctl deploy

I kept getting the following error

updating nodes ... root@10.180.6.33: Permission denied (publickey,password). Error: cannot create a directory on node zeek-worker Error: Failed to establish ssh connection to host 10.180.6.33: [Errno 32] Broken pipe

After some changes to ssh, now I am able to ssh to root@10.180.5.188.
But when I run zeekctl deploy it just freezes at updating nodes.
How do I proceed?

Alternately, if Iam able to ssh to user@10.180.5.188, where “user” is a non-root user, how does the node.cfg file change, since I assume zeekctl deploy tries to access the worker node with root privileges?

Thanks in advance

Raja

Christian · April 26, 2023, 6:43pm

Hey Raja,

You need to decide as which user you’re going to invoke zeekctl, which implies the user at the SSH level. Here too take a look at the zeekctl docs.

Regarding the stalling, double-check that passwordless SSH login works. You could also try something like zeekctl exec ls to run a command on all nodes, to verify that the SSH-level setup works.

Best,
Christian

mvasuraja · April 27, 2023, 6:31am

Hi Christian
Thanks for the reply.

I dont have a problem running as either root or some non-root user as long as it works.

I did check that I am able to ssh without password into the worker node, both as root and non-root users. I am able to login to the worker node without any hassles.

For the second part of your reply:
This may be a dumb question, but does Zeek have to be installed on all nodes, including the worker nodes? I have it installed only on the manager node. That is what I could understand from the official documentation and other sites that describe the installation procedure, like Eric Ooi’s.

Also tried again today afresh. Still the same state.

I am able to have a standalone system running on the host machine. Clustering is what causes issues.

Thanks,
Raja

Christian · April 27, 2023, 10:44pm

Hi Raja,

When you run a Zeek cluster, it means you run multiple Zeek processes. Each of those processes has a specific role, such as workers (processing packets), a manager, a logger, etc. These roles can only be provided by Zeek itself, by running these processes. They may all run on the same machine or on multiple ones — the latter is usually only required in large setups where packet capture on a single machine isn’t sufficient. There always is only one manager process.

zeekctl is a command-line management client for such a cluster. You run it from the same machine running the master process. You do not need to install zeekctl on all cluster machines, only the manager’s. The cluster may span multiple machines, but doesn’t have to.

Hope that helps!
Christian

mvasuraja · May 4, 2023, 6:16am

Thanks Christian.

I think I am able to get the Modbus logs (for which I had posted a separate question in the forum), so right now, I am focusing on them.

I will get back to getting the logs from a VM soon and update the status.

Regards,
Raja

Topic		Replies	Views
Use Windows machine as worker node in cluster - Zeek	0	184	February 21, 2024
ZeekCTL log to different directories Zeek	2	317	February 12, 2024
Zeek Modbus/ IEC 104 Zeek	6	312	May 4, 2023
Cluster configuration zeekctl status hangs Zeek	4	130	May 6, 2022
Ports for workers Zeek	2	127	May 6, 2022

Zeek Cluster with VM

Related topics