Dockorize bro, you can have as many as you want.
On Tue, Nov 26, 2019, 3:05 PM Erich M Nahum <nahum(a)us.ibm.com> wrote:
I figured it out. Two zeek installations (/opt/zeek1,
node.cfg files, and most importantly, the second zeekctl.cfg with the port
ZeekPort = 48760
instead of the default 47760 port.
I don't know if this is supported, but it seems to work.
----- Original message -----
From: Erich M Nahum/Watson/IBM
Subject: Two instances of bro on the same host?
Date: Mon, Nov 25, 2019 2:49 PM
I have a multi-core machine listening to 8 interfaces with zeek. I'm
using the kafka plugin to send logs to individual topics (conn, dns, http,
I've recently gotten a tap outside the firewall and want to send the
equivalent logs to different comparable topics (conn-firewall,
I'm currently using zeekctl with multiple workers. What I'm wondering is
can I use two instances of zeekctl on the same machine, one for inside the
FW and one for outside.
It's not an option right now to do the outside the FW on a separate
Zeek mailing list