Since the upgrade to 5.2.0, I am not getting the logs in the log directory. As the latest version has af_packet I had to remove the installed af_packet plugin as I was getting some errors, and then I was able to upgrade from 4.2.2 to 5.2.0. The upgrade went fine, and I was able to run zeekctl deploy with no issues, I can see all the workers, manager, and logger in running status. However, now the Zeek is not capturing any packets. The logger, manager, and proxy are running on one host whereas the worker node is on a separate machine. I can run zeek -i af_packet::p3p2 on the worker node but not seeing anything in the log directory. The manager and worker are in the same subnet so the firewall should not be an issue. In stats.log I only see manager, logger, and proxy references.
Hello - this does sound like the workers are not able to connect to the logger successfully.
On the worker host, can you run the following command (with the appropriate IP of the host where manager and logger run) and see if it’s successful (also check 27761).
$ nc -v -z 192.168.123.132 27762
Connection to 192.168.123.132 27762 port [tcp/*] succeeded!
Alternatively, does executing the following provide any interesting in the .status or .stderr sections?
[ZeekControl] > diag worker-1-1
Hope this helps.
Thanks,
Arne
Hi Arne,
Here are the stderr.log
==== stderr.log
[broker/ERROR] 2023-03-26T13:24:16.456 proxy 9 received an unexpected message: message(caf::sec::broken_promise)
[broker/ERROR] 2023-03-26T13:24:16.456 proxy 9 received an unexpected message: message(caf::sec::broken_promise)
[broker/ERROR] 2023-03-26T13:24:16.456 proxy 9 received an unexpected message: message(caf::sec::broken_promise)
[broker/ERROR] 2023-03-26T13:24:16.456 proxy 9 received an unexpected message: message(caf::sec::broken_promise)
==== .status
RUNNING [run_loop]
==== No prof.log
==== No packet_filter.log
==== No loaded_scripts.log
Hello @simba - thanks.
Do you have results from the nc testing, too? These messages might be related to a connectivity issue.
Thanks,
Arne
Thank you for the pointer @awelzel
It was the firewall, Zeek is capturing the logs after the firewall changes to accommodate the ports.
Just curious, which port was the original package using that didn’t require any firewall changes?
The range before Zeek 5.2.0 started at 47760. However, there were issues with that port-range being used by other processes on Linux as “ephemeral ports”. I suspect you have/had firewall rules in place for that range.