[SOLVED] Bro / Zeek broctl unable to find peers

Bro / Zeek broctl unable to find peers

After installation of Bro in cluster mode, peerstatus hangs, and only basic logs are generated, no traffic logs. No Conn log, or any others.

Log output below, I noticed no core file found in the logger, as well as the worker, but as I installed from source, not sure about that one. My node.cfg is default cluster setup.

I'm ssh'ing as root to the worker nodes

I turned off cluster mode, and went to single node, and it works fine.

[root@localhost 2019-06-03]# sudo broctl status
Name         Type    Host             Status    Pid    Started
logger       logger  xxx.xxx.x.xxx    running   24853  04 Jun 16:50:39
manager      manager xxx.xxx.x.xxx    running   24899  04 Jun 16:50:40
proxy-1      proxy   xxx.xxx.x.xxx    running   24944  04 Jun 16:50:42
worker-1     worker  xxx.xxx.x.xyy    running   16406  04 Jun 16:50:43

[root@localhost 2019-06-03]# sudo broctl top
Name         Type    Host             Pid     VSize  Rss  Cpu   Cmd
logger       logger  xxx.xxx.x.xxx    24853   264M   111M   0%  bro
manager      manager xxx.xxx.x.xxx    24899   229M    99M   6%  bro
proxy-1      proxy   xxx.xxx.x.xxx    24944   228M   100M   0%  bro
worker-1     worker  xxx.xxx.x.xyy    16406   803M   676M   6%  bro

[root@localhost 2019-06-03]# sudo broctl check
logger scripts are ok.
manager scripts are ok.
proxy-1 scripts are ok.
worker-1 scripts are ok.

[root@localhost 2019-06-03]# sudo broctl diag
[logger]

No core file found.

Bro 2.6.1
Linux 3.10.0-957.12.2.el7.x86_64

Bro plugins: (none found)

==== No reporter.log

==== stderr.log
...

[logger]
type=logger
host=xxx.xxx.x.xxx

[manager]
type=manager
host=xxx.xxx.x.xxx

[proxy-1]
type=proxy
host=xxx.xxx.x.xxx

[worker-1]
type=worker
host=xxx.xxx.x.xyy
interface=ens192

Solution

Fixed the issue by opening ports 47760-47770 in the Firewall. Everything works now. Somehow I missed the following in the documentation:

For a cluster setup, the logger listens on TCP port 47761, and the manager listens on TCP port 47762 (or 47761 if no logger is defined). Each proxy is assigned its own port number, starting with one number greater than the manager's port. Likewise, each worker is assigned its own port starting one number greater than the highest port number assigned to a proxy. https://github.com/zeek/zeekctl