awelzel
commented
1 year ago Stems from this comment: https://github.com/zeek/zeek/pull/2841#issuecomment-1454011482
Closed awelzel closed 1 year ago
awelzel
commented
1 year ago Stems from this comment: https://github.com/zeek/zeek/pull/2841#issuecomment-1454011482
awelzel
commented
1 year ago @J-Gras - is this something you'd consider?
I'm forth and back bringing up the topic of a &deprecated on the $interface field in the cluster-layout. I'm sure it's not that easy, but specifically for this package it's not required these days anymore (and the change would also allow to use the package in environments where $interface is not populated)
Zeek 3.1 introduced the packet_source() bif. It can be leveraged to reliably get the live interface of a worker. Whether cluster-layout.zeek / Cluster::nodes provides the interface field is not guaranteed.
This change allows to use this package in environments where the Cluster::Node$interface field is not populated. Further, it adds the interface for a simple
zeek -i eth0invocation which seems nice.Technically, the only reason this depends on Cluster now is the fallback to the "unknown" interface and I'm not quite sure that's actually useful for when logs are generated on proxies or managers.