Zeekurity Zen – Part I: How to Install Zeek on CentOS 8

Zeekurity Zen – Part I: How to Install Zeek on CentOS 8

This is part of the Zeekurity Zen Zeries on building a Zeek (formerly Bro) network sensor.

Overview

This guide assumes you’ll be installing Zeek on CentOS 8, given how popular CentOS tends to be in the enterprise.  However, the guide should work for any RHEL-based flavors of Linux.  For Debian-based systems, there will be some modifications required, including using apt-get vs yum for installing Linux packages.  Nothing that a search couldn’t help you figure out. 😉

Kicking things off, we’ll optimize CentOS to efficiently capture packets and then compile Zeek from source to start monitoring network traffic.

To do this, we’ll walkthrough these steps:

  1. Enable the “network” service to apply network sniffing optimizations, including disabling NIC offloading functions to ensure Zeek sees full packet data and minimizes packet loss.
  2. Setting interfaces to promiscuous mode to ensure all packets are captured and analyzed.
  3. Install libmaxminddb to enable IP geolocation capability.
  4. Build Zeek from source with optimizations.
  5. Create a non-root Zeek user to minimize impact in the event that Zeek is compromised.
  6. Deploy and run Zeek to start analyzing traffic.
  7. Create a cron job to perform Zeek maintenance tasks.

Enable “network” service and disable NIC offloading functions

  1. Install the network-scripts package.
    sudo yum install network-scripts
  2. Use ethtool to determine the maximum ring parameters for your sniffing interfaces.  The example below assumes an interface named enp2s0.
    sudo ethtool -g enp2s0
    Ring parameters for enp2s0:
    Pre-set maximums:
    RX:             4096
    RX Mini:        0
    RX Jumbo:       0
    TX:             4096
    Current hardware settings:
    RX:             256
    RX Mini:        0
    RX Jumbo:       0
    TX:             256
  3. As root/sudo, edit the /etc/sysconfig/network-scripts/ifcfg-<sniffinginterface> file for each sniffing network interface and change or add the following lines. Respectively, each line will disable control from NetworkManager, disable DHCP, and add appropriate ethtool options. Note that after “rx” you want to enter the maximum ring parameter as determined in the step above.
    NM_CONTROLLED=no
    BOOTPROTO=none
    ONBOOT=yes
    IPV6INIT=no
    ETHTOOL_OPTS="-G ${DEVICE} rx <max ring parameter determined from step 1 above>; -K ${DEVICE} rx off; -K ${DEVICE} tx off; -K ${DEVICE} sg off; -K ${DEVICE} tso off; -K ${DEVICE} ufo off; -K ${DEVICE} gso off; -K ${DEVICE} gro off; -K ${DEVICE} lro off"
  4. Your file should now look something like this.
    TYPE=Ethernet
    BOOTPROTO=none
    DEFROUTE=yes
    IPV4_FAILURE_FATAL=no
    IPV6INIT=no
    IPV6_AUTOCONF=yes
    IPV6_DEFROUTE=yes
    IPV6_PEERDNS=yes
    IPV6_PEERROUTES=yes
    IPV6_FAILURE_FATAL=no
    NAME=enp2s0
    UUID=b22f5d92-3f1e-430b-b660-cb9376d8c0c0
    DEVICE=enp2s0
    ONBOOT=yes
    PEERDNS=yes
    PEERROUTES=yes
    USERS=root
    NM_CONTROLLED=no
    ETHTOOL_OPTS="-G ${DEVICE} rx 4096; -K ${DEVICE} rx off; -K ${DEVICE} tx off; -K ${DEVICE} sg off; -K ${DEVICE} tso off; -K ${DEVICE} ufo off; -K ${DEVICE} gso off; -K ${DEVICE} gro off; -K ${DEVICE} lro off"
  5. Still as root/sudo, enable the “network” service.
    sudo systemctl enable network
  6. Finally, restart the “network” service.
    sudo systemctl restart network

Set sniffing network interfaces to promiscuous mode

  1. As root/sudo, create /etc/systemd/system/promisc.service in your favorite text editor.
  2. Add the following lines, assuming enp2s0 is your sniffing interface.
    [Unit]
    Description=Makes an interface run in promiscuous mode at boot
    After=network.target
    
    [Service]
    Type=oneshot
    ExecStart=/usr/sbin/ip link set dev enp2s0 promisc on
    TimeoutStartSec=0
    RemainAfterExit=yes
    
    [Install]
    WantedBy=default.target
  3. Save the file and run the following commands to make the changes permanent and start on boot.
    sudo chmod u+x /etc/systemd/system/promisc.service
    sudo systemctl start promisc.service
    sudo systemctl enable promisc.service
    Created symlink from /etc/systemd/system/default.target.wants/promisc.service to /etc/systemd/system/promisc.service.
  4. Reboot your system and verify all the changes made thus far have persisted. Verify that PROMISC is listed in the network interface status.
    ip a show enp2s0 | grep -i promisc
    3: enp2s0: < BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP > mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

Install Zeek Dependencies

  1. As root/sudo, edit /etc/yum.repos.d/CentOS-PowerTools.repo and set the “enabled” field to 1, to add the PowerTools repository. Your file should look something like this.
    # CentOS-PowerTools.repo
    #
    # The mirror system uses the connecting IP address of the client and the
    # update status of each mirror to pick mirrors that are updated to and
    # geographically close to the client.  You should use this for CentOS updates
    # unless you are manually picking other mirrors.
    #
    # If the mirrorlist= does not work for you, as a fall back you can try the
    # remarked out baseurl= line instead.
    #
    #
    
    [PowerTools]
    name=CentOS-$releasever - PowerTools
    mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=PowerTools&infra=$infra
    #baseurl=http://mirror.centos.org/$contentdir/$releasever/PowerTools/$basearch/os/
    gpgcheck=1
    enabled=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
  2. Add the EPEL repo.
    sudo yum --enablerepo=extras install epel-release
  3. Run the following yum command to download the required dependencies.
    sudo yum install cmake make gcc gcc-c++ flex bison jemalloc-devel libpcap-devel openssl-devel python3 python3-devel swig zlib-devel
  4. Ensure all your packages are up to date and reboot your system.
    sudo yum update
    sudo reboot

Configure GeoIP Support

  1. Install the libmaxminddb development library.
    sudo yum install libmaxminddb-devel
  2. Sign up for a free Maxmind account.  This is required as of December 2019.
  3. Download and untar the GeoLite2 database.
    tar xzvf GeoLite2-City.tar.gz
  4. Move the GeoLite2-City.mmdb file in the extracted GeoLite2-City_YYYYMMDD directory to /usr/share/GeoIP.
    sudo mv GeoLite2-City_YYYYMMDD/GeoLite2-City.mmdb /usr/share/GeoIP/GeoLite2-City.mmdb

Create the zeek user and directory to install and run Zeek

  1. Create the zeek user and add it to the zeek group.
    sudo groupadd zeek
    sudo useradd zeek -g zeek
  2. As root/sudo, set a password for the zeek user.
    sudo passwd zeek
  3. As root/sudo, create the /opt/zeek directory and set ownership to the zeek user.
    sudo mkdir /opt/zeek
    sudo chown -R zeek:zeek /opt/zeek
    sudo chmod 750 /opt/zeek

Download, Compile, and Install Zeek

  1. Switch to the zeek user.
    su zeek
  2. We will download zeek to the /home/zeek directory. Then we will configure Zeek to install in the /opt/zeek directory and enable jemalloc to improve memory and CPU usage.  As of this writing, the latest feature release is version 3.2.2.  If the download URL referenced in the wget command below no longer works, you can download the latest stable release directly from the Get Zeek download page.
    cd
    wget https://download.zeek.org/zeek-3.2.2.tar.gz
    tar -xzvf zeek-3.2.2.tar.gz
    cd zeek-3.2.2
    ./configure --prefix=/opt/zeek --enable-jemalloc
    make
    make install

    Note: This will take *a while* to compile.

  3. Switch back to your normal user by closing the zeek session.
    exit
  4. Since the zeek user is not root, give the Zeek binaries permissions to capture packets.
    sudo setcap cap_net_raw=eip /opt/zeek/bin/zeek
    sudo setcap cap_net_raw=eip /opt/zeek/bin/capstats

Add Zeek to PATH

  1. As root/sudo, create /etc/profile.d/zeek.sh and add the following.
    pathmunge /opt/zeek/bin
  2. Log out and log back in as the zeek user to update the PATH.

Configure Zeek

  1. Edit /opt/zeek/etc/node.cfg to configure the number of nodes.  It is recommended to use a maximum of one or two less workers than the total number of CPU cores available on your sensor.  In the example configuration below we are configuring a total of two workers, analyzing one sniffing interface.
    # Example ZeekControl node configuration.
    # Below is an example clustered configuration on a single host.
    
    [logger]
    type=logger
    host=localhost
    
    [manager]
    type=manager
    host=localhost
    
    [proxy-1]
    type=proxy
    host=localhost
    
    [worker-1]
    type=worker
    host=localhost
    interface=enp2s0
    
    [worker-2]
    type=worker
    host=localhost
    interface=enp2s0

    In the event you have two or more sniffing interfaces (e.g. enp2s0 and enp3s0), see the example configuration below which assigns each interface its own worker.

    # Example ZeekControl node configuration.
    # Below is an example clustered configuration on a single host.
    
    [logger]
    type=logger
    host=localhost
    
    [manager]
    type=manager
    host=localhost
    
    [proxy-1]
    type=proxy
    host=localhost
    
    [worker-1]
    type=worker
    host=localhost
    interface=enp2s0
    
    [worker-2]
    type=worker
    host=localhost
    interface=enp3s0
  2. Edit /opt/zeek/share/zeek/site/local.zeek to enable or disable scripts as needed.

Start Zeek

  1. As the zeek user, run zeekctl deploy to apply configurations and run Zeek.
    zeekctl deploy
    checking configurations ...
    installing ...
    removing old policies in /opt/zeek/spool/installed-scripts-do-not-touch/site ...
    removing old policies in /opt/zeek/spool/installed-scripts-do-not-touch/auto ...
    creating policy directories ...
    installing site policies ...
    generating cluster-layout.zeek ...
    generating local-networks.zeek ...
    generating zeekctl-config.zeek ...
    generating zeekctl-config.sh ...
    stopping ...
    stopping workers ...
    stopping proxy ...
    stopping manager ...
    stopping logger ...
    starting ...
    starting logger ...
    starting manager ...
    starting proxy ...
    starting workers ...
  2. If your output looks similar to what’s shown above, you should be good to go. To verify Zeek is running successfully, you can run zeekctl status.
    zeekctl status
    Name         Type    Host             Status    Pid    Started
    logger       logger  localhost        running   1774   10 Oct 23:15:31
    manager      manager localhost        running   1820   10 Oct 23:15:32
    proxy-1      proxy   localhost        running   1865   10 Oct 23:15:33
    worker-1-1   worker  localhost        running   1950   10 Oct 23:15:35
    worker-1-2   worker  localhost        running   1951   10 Oct 23:15:35
    worker-2-1   worker  localhost        running   1955   10 Oct 23:15:35
    worker-2-2   worker  localhost        running   1954   10 Oct 23:15:35

    If you see the following errors:

    zeekctl deploy
    Error: worker-1-1 terminated immediately after starting; check output with "diag"
    Error: worker-1-2 terminated immediately after starting; check output with "diag"
    Error: worker-2-1 terminated immediately after starting; check output with "diag"
    Error: worker-2-2 terminated immediately after starting; check output with "diag"

    Then try re-running the sudo setcap commands from earlier.

    sudo setcap cap_net_raw=eip /opt/zeek/bin/zeek
    sudo setcap cap_net_raw=eip /opt/zeek/bin/capstats
  3. You should now see logs being generated in /opt/zeek/logs/current.
    ls -l
    total 2276
    -rw-rw-r--. 1 zeek zeek   1573 Oct 10 23:15 broker.log
    -rw-rw-r--. 1 zeek zeek    593 Oct 10 23:45 capture_loss.log
    -rw-rw-r--. 1 zeek zeek   1970 Oct 10 23:15 cluster.log
    -rw-rw-r--. 1 zeek zeek 673435 Oct 10 23:52 conn.log
    -rw-rw-r--. 1 zeek zeek 580865 Oct 10 23:52 dns.log
    -rw-rw-r--. 1 zeek zeek   3830 Oct 10 23:49 dpd.log
    -rw-rw-r--. 1 zeek zeek   1406 Oct 10 23:47 files.log
    -rw-rw-r--. 1 zeek zeek  26108 Oct 10 23:48 http.log
    -rw-rw-r--. 1 zeek zeek  24646 Oct 10 23:15 loaded_scripts.log
    -rw-rw-r--. 1 zeek zeek    753 Oct 10 23:18 notice.log
    -rw-rw-r--. 1 zeek zeek    187 Oct 10 23:15 packet_filter.log
    -rw-rw-r--. 1 zeek zeek    743 Oct 10 23:46 software.log
    -rw-rw-r--. 1 zeek zeek  86512 Oct 10 23:51 ssl.log
    -rw-rw-r--. 1 zeek zeek   5446 Oct 10 23:50 stats.log
    -rw-rw-r--. 1 zeek zeek      0 Oct 10 23:15 stderr.log
    -rw-rw-r--. 1 zeek zeek    188 Oct 10 23:15 stdout.log
    -rw-rw-r--. 1 zeek zeek 240866 Oct 10 23:51 weird.log
  4. If you’re running into issues, zeekctl diag can provide more detailed output for troubleshooting purposes.
    zeekctl diag

ZeekControl Cron

ZeekControl features a cron command to check for and restart crashed nodes and to perform other maintenance tasks.  To take advantage of this, let’s set up a cron job.

  1. Edit the crontab of the non-root zeek user.
    crontab -e
  2. Add the following to set up a cron job that runs every five minutes.  You can adjust the frequency to your liking.
    */5 * * * * /opt/zeek/bin/zeekctl cron

Up Next

In Part II of this series, we will install the Zeek Package Manager to extend Zeek’s functionality.

References

Adding a path in CentOS: https://serverfault.com/questions/102932/adding-a-directory-to-path-in-centos
Zeek official documentationhttps://www.zeek.org/documentation/index.html
Disabling NetworkManager: https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-networkmanager
NIC offloadinghttps://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html


Stuff I Like

Web Hosting: SiteGround

ericooi.com is proudly hosted by SiteGround. Performance and customer service are top notch. Quick and easy https implementation via built-in Let's Encrypt integration.


34 thoughts on “Zeekurity Zen – Part I: How to Install Zeek on CentOS 8”

  • Thank you for the great post Eric. Quick question for you.. Have you tried to install the Kafka plugin using zkg on CentOS8. I completed the installation steps you provided for Zeek. I was trying to add kafka to this but having no luck. I installed librdkafka 1.4.2 successfully. Plugin installation does not work:

    [zeek@zeek ~]$ zkg install apache/metron-bro-plugin-kafka –version master
    The following packages will be INSTALLED:
    zeek/apache/metron-bro-plugin-kafka (master)

    Verify the following REQUIRED external dependencies:
    (Ensure their installation on all relevant systems before proceeding):
    from zeek/apache/metron-bro-plugin-kafka (master):
    librdkafka ~1.4.2-RC1

    Proceed? [Y/n] Y
    zeek/apache/metron-bro-plugin-kafka asks for LIBRDKAFKA_ROOT (Path to librdkafka installation tree) ? [/usr/local/lib]
    Saved answers to config file: /home/zeek/.zkg/config
    Running unit tests for “zeek/apache/metron-bro-plugin-kafka”
    error: failed to run tests for zeek/apache/metron-bro-plugin-kafka: package build_command failed, see log in /home/zeek/.zkg/logs/metron-bro-plugin-kafka-build.log
    Proceed to install anyway? [N/y] N
    Abort.

    • I have not tried to install that plugin. I’d start by looking at the error log suggested in the output you pasted: /home/zeek/.zkg/logs/metron-bro-plugin-kafka-build.log

  • I am not sure if anyone had this issue before so here it is. I followed the steps above on CentOS8 and when I tried to compile the zeek code, I got the following error:
    [zeek@zeek zeek-3.2.1]$ ./configure –prefix=/opt/zeek –enable-jemalloc
    Build Directory : build
    Source Directory: /home/zeek/zeek-3.2.1
    — The C compiler identification is GNU 8.3.1
    — The CXX compiler identification is GNU 8.3.1
    — Check for working C compiler: /usr/bin/cc
    — Check for working C compiler: /usr/bin/cc — works
    — Detecting C compiler ABI info
    — Detecting C compiler ABI info – done
    — Detecting C compile features
    — Detecting C compile features – done
    — Check for working CXX compiler: /usr/bin/c++
    — Check for working CXX compiler: /usr/bin/c++ — works
    — Detecting CXX compiler ABI info
    — Detecting CXX compiler ABI info – done
    — Detecting CXX compile features
    — Detecting CXX compile features – done
    — Performing Test test_arch_x64
    — Performing Test test_arch_x64 – Success
    — Performing Test test_arch_aarch64
    — Performing Test test_arch_aarch64 – Failed
    — Performing Test test_arch_arm
    — Performing Test test_arch_arm – Failed
    — Performing Test test_arch_power
    — Performing Test test_arch_power – Failed
    — Determined target architecture (for hashing): x86_64
    — Found sed: /usr/bin/sed
    — Could NOT find PythonInterp (missing: PYTHON_EXECUTABLE)
    — Found FLEX: /usr/bin/flex (found version “2.6.1”)
    — Found BISON: /usr/bin/bison
    — Found PCAP: /usr/lib64/libpcap.so
    — Performing Test PCAP_LINKS_SOLO
    — Performing Test PCAP_LINKS_SOLO – Success
    — Looking for pcap_get_pfring_id
    — Looking for pcap_get_pfring_id – not found
    — Found OpenSSL: /usr/lib64/libcrypto.so (found version “1.1.1c”)
    — Performing Test ns_initparse_works_none
    — Performing Test ns_initparse_works_none – Failed
    — Performing Test res_mkquery_works_none
    — Performing Test res_mkquery_works_none – Failed
    — Performing Test ns_initparse_works_libresolv.a
    — Performing Test ns_initparse_works_libresolv.a – Failed
    — Performing Test res_mkquery_works_libresolv.a
    — Performing Test res_mkquery_works_libresolv.a – Failed
    — Performing Test ns_initparse_works_resolv
    — Performing Test ns_initparse_works_resolv – Success
    — Performing Test res_mkquery_works_resolv
    — Performing Test res_mkquery_works_resolv – Success
    — Found BIND: /usr/lib64/libresolv.so
    — Found ZLIB: /usr/lib64/libz.so (found version “1.2.11”)
    CMake Error at auxil/binpac/CMakeLists.txt:35 (message):
    Could not find prerequisite package ‘PythonInterp’

    The fix was to install python3-devel: yum install python3-devel

    • Hi Arda,

      The Python3 development package should have been installed when you installed the Zeek dependencies in the “Install Zeek Dependencies” step. Specifically this command:

      sudo yum install cmake make gcc gcc-c++ flex bison jemalloc-devel libpcap-devel openssl-devel platform-python-devel swig zlib-devel

      With the key package being “platform-python-devel.” If for whatever reason that did not install properly for you, then your fix will definitely work, too!

      – Eric

  • Hey Eric sorry, i want to ask,how to send zeek all event to syslog collector? most references refer to graylog, splunk, elk.

  • Hi Eric,
    I tried to follow your guide but on step 2 – Install the network-scripts package, the command “sudo yum install network-scripts” wont work because the network is down from the previous change. Is there something I missed from the steps you listed here?
    Thank you,
    Julian

    • Hi Julian,

      Good catch! This guide was originally written for installation on CentOS 7 and I forgot to remove the section on disabling NetworkManager. For some background, CentOS 8 no longer ships with network-scripts support and requires the use of NetworkManager for network configuration. However, NetworkManager does not provide the level of configuration required to optimize sniffing interfaces for packet capture, hence the need for the now legacy, network-scripts.

      You can however run it such that NetworkManager is used for your management interfaces, and network-scripts are used just for the sniffing interfaces. All that said, you have two choices:
      1. Re-enable NetworkManager.
      2. Edit /etc/sysconfig/network-scripts/ifcfg-management_interface to use either DHCP or static IP.

      For most people, the easier option will be number 1. To start and re-enable NetworkManager, run:

      sudo systemctl start NetworkManager
      sudo systemctl enable NetworkManager

      Apologies for the confusion and hope that helps!

      • Hi Eric,
        I did that and it worked. Thank you for the fast response.
        Another thing you may want to update on the guide is related to python-dev pre-requisite. The option I found available thru yum was python2-devel, which comes from AppStream.repo of CentOS8. I could not find the dev package for Python3 in any repos.
        Thank you,
        Julian

          • Hi Eric,
            I am not sure if this is relevant but the command “zeekctl deploy” didn’t work for me until I installed sendmail package. As soon sendmail server was up, it started without any error. I hope it helps.
            Thank you,
            Julian

      • Thanks for the article, Eric. Very helpful. Question about running NetworkMangaer on the sniffing interface. Are you saying one should run NetworkManger AND networkd at the same time? If so, isn’t this ‘bad’? Or are you saying the the config files in /etc/sysconfig/network-scripts/ifcfg-* should have NM_CONTROLLED = no vs yes? TIA!

        • Hi John,

          I’m saying you should DISABLE “NetworkManager” on the sniffing interfaces and INSTEAD ENABLE the “network” service. This is because NetworkManager doesn’t allow you to specify the configurations we want to optimize traffic capture for Zeek.

          Hope that helps!
          Eric

  • Hi Eric, Thank you for this guide, its very helpful for me. Now if i want to add second sniffing interface, i have to disable NIC Offloading Function and set the second sniffing interfaces to PROMISCUOUS MODE also?
    Thank you.

    • Hi Luqman,

      Glad to hear it’s been helpful for you!

      Yes, for each sniffing interface you want to use, you should apply the same steps under “DISABLE NIC OFFLOADING FUNCTIONS” to optimize the interface for packet capture.

      Hope that helps!

        • Hi Eric,
          May i ask why you use AF_PACKET instead of PF_RING in part 2 of this setup?
          Is there is any advantages of using AF_PACKET over PF_RING for zeek?

          Thank you in advance

          • Hi Luqman,

            Great question! Once upon a time I too used PF_RING. There are two primary reasons for my moving to AF_PACKET:

            * AF_PACKET is already built into the Linux kernel so using and maintaining it is much easier. In my experience, compiling and installing PF_RING is non-trivial, in particular updating it whenever a new version of the PF_RING package is released.

            * AF_PACKET has been shown to effectively capture packets at high speeds on modern Linux kernels. It has been recommended on the Zeek mailing list (including by the team at Mozilla that has tuned AF_PACKET to capture up to 20Gbps) and is used by notable NSM distributions such as RockNSM and Security Onion.

            You’re certainly welcome to still use PF_RING if you find it works better for you. I’ve only used the open source PF_RING packages, not the paid-for licensed versions so I can’t speak to how well those work. For experienced Linux users, PF_RING is _not too difficult_ to maintain, and it will definitely improve packet capture performance over using absolutely no optimization.

            Hope that helps!

  • Eric,
    I have this issue too;
    ==== stderr.log
    fatal error: problem with interface (pcap_error: socket: Operation not permitted (pcap_activate))

    I know it has something to do with the bro user privileges, but I cannot figure out other then the step:
    sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/bro
    sudo setcap cap_net_raw,cap_net_admin=eip /opt/bro/bin/broctl

    but that does not seem to do the trick.
    running as root, it works.
    any suggestions?

    thnx

    • Hi Boudy — Yep, those commands are what should take care of it. I remember having similar issues and I believe some combination of running those two commands again and restarting resolved it. I know, seems silly. Also make sure that the bro user is the owner of the /opt/bro directory, which is the next step in the guide.

      • Eric, You’re a life saver.

        I executed both again as bro user, did the broctl deploy and without errors !!!! this time.
        Woohoo!

        thnx,

        Boudy

        • I had to leave a comment here, just to say thanks. I’ve been banging my head against the wall for the last two days trying to find a solution for the same Operation not permitted error Boudy mentioned. Some serious Googling brought me here after also having watched a PluralSignt course video, and I found these setcap commands.

          My remaining hair on my head thanks you, Eric.

      • Hi Eric
        I have something wrong , when after deploy zeek cluster. worker-2 did not run zeek script but only copyed those script from manage. why and how could i fixed it?

        • Hi Fang,

          Not sure I understand the issue. I suggest double checking your /opt/zeek/etc/node.cfg and making sure worker-2 is set to type=worker and not type=manager.

          Hope that helps!
          Eric

  • Disable the NetworkManager service and enable the “network” service
    1. Stop and disable the NetworkManager service.
    2. Verify that NetworkManager has been disabled.
    — I get this in reply:
    $ sudo systemctl list-unit-files | grep NetworkManager
    NetworkManager-dispatcher.service disabled
    NetworkManager-wait-online.service disabled <<< you show "enabled" for this.
    NetworkManager.service disabled

    You say … '…enable the “network” service' but there are no instructions about that.

    ———

    I went through the installation procedure and get this error:

    ==== stderr.log
    fatal error: problem with interface eno1 (pcap_error: socket: Operation not permitted (pcap_activate))

    What am I missing here?

    Thanks in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.