zeek-agent icon indicating copy to clipboard operation
zeek-agent copied to clipboard

Published 20 hours ago verified publisher icon zeek

Zeek-agent does not work with Zeek v.4

Open anakorenko opened this issue 4 years ago • 5 comments
trafficstars

Hello, i`m testing Zeek-agent with Zeek v.4 and receiving errors in /var/log/zeek/ :
"Reconnecting has failed. Retrying again later." Everything configured as in Configure example. This is zeek-agent.log. 1628519693.510724 zeek /zeek/zeek-agent/zeeks debug Forwarding event ZeekAgent::zeek_subscribe() for query 'SELECT uid_signed, gid_signed, username, description, directory, shell FROM users' 1628519693.510724 zeek /zeek/zeek-agent/zeeks debug Forwarding event ZeekAgent::zeek_subscribe() for query 'SELECT path FROM mounts' 1628519693.510724 zeek /zeek/zeek-agent/zeeks debug Forwarding event ZeekAgent::zeek_subscribe() for query 'SELECT pid, path, cmdline, cwd, uid, gid, time, parent FROM process_events' 1628519693.510724 local ZeekMaster info Subscribing to Broker topic /zeek/zeek-agent/zeek/ZeekMaster 1628519693.510724 local ZeekMaster info Accepting incoming broker connections on IP 0.0.0.0 and port 9999/tcp 1628519693.510724 zeek /zeek/zeek-agent/zeeks debug Forwarding event ZeekAgent::zeek_subscribe() for query 'SELECT listening_ports.pid, name, protocol, address, port FROM listening_ports LEFT JOIN processes WHERE processes.pid=listening_ports.pid AND family=2 AND address!='127.0.0.1' AND address!='::1';' 1628519693.510724 zeek /zeek/zeek-agent/zeeks debug Forwarding event ZeekAgent::zeek_subscribe() for query 'SELECT time, severity, message FROM zeek_logger' 1628519693.510724 local ZeekMaster info Subscribing to host announce topic /zeek/zeek-agent/host_announce 1628519693.510724 local ZeekMaster info Subscribing to Zeek announce topic /zeek/zeek-agent/zeek_announce 1628519693.510724 local ZeekMaster info Subscribing to Zeek individual topic /zeek/zeek-agent/zeek/671CABD9E630E3882D6C7F544C04D2EEAA063A24#14109

The problem is definitely with versions of Zeek, because ive tested zeek-agent with Zeek v.3 and its working perfectly.

anakorenko avatar Aug 31 '21 12:08 anakorenko

Thanks @anakorenko for the issue and for trying out Zeek Agent. We are aware that Zeek Agent does not work with Zeek version 4 and currently, there is no plan to update Zeek Agent to support Zeek version 4.

Wajihulhassan avatar Aug 31 '21 14:08 Wajihulhassan

Thanks @anakorenko for the issue and for trying out Zeek Agent. We are aware that Zeek Agent does not work with Zeek version 4 and currently, there is no plan to update Zeek Agent to support Zeek version 4.

Would you merge my pull request if i fix the problem?

anakorenko avatar Aug 31 '21 14:08 anakorenko

Yes, we would be more than happy to accept the pull request.

Wajihulhassan avatar Aug 31 '21 21:08 Wajihulhassan

@Wajihulhassan remind me what's the issue exactly, is it just a mismatching Broker version or is there something else preventing it from working with Zeek 4?

rsmmr avatar Sep 01 '21 06:09 rsmmr

This happens due to mismatching Broker/CAF version.

Wajihulhassan avatar Sep 01 '21 06:09 Wajihulhassan