search

zeek / zeek-docker

Docker files for building Zeek.
86 stars 34 forks source link

No module json --running ./zeekctl #21

Open ghost opened 3 years ago

ghost commented 3 years ago

Hi,

I am running inside a container the zeekctl and i got this issue:

I've opened the container with docker exec -u root -t -i zeek /bin/bash

root@0928d88fe04c:/zeek/bin# ./zeekctl deploy
Traceback (most recent call last):
  File "./zeekctl", line 17, in <module>
    from ZeekControl.zeekctl import ZeekCtl, ZeekControlError, CommandSyntaxError
  File "/usr/local/zeek-4.0.0/lib/zeek/python/zeekctl/ZeekControl/zeekctl.py", line 8, in <module>
    from ZeekControl import lock
  File "/usr/local/zeek-4.0.0/lib/zeek/python/zeekctl/ZeekControl/lock.py", line 4, in <module>
    from ZeekControl import config
  File "/usr/local/zeek-4.0.0/lib/zeek/python/zeekctl/ZeekControl/config.py", line 14, in <module>
    from .state import SqliteState
  File "/usr/local/zeek-4.0.0/lib/zeek/python/zeekctl/ZeekControl/state.py", line 1, in <module>
    import json
ModuleNotFoundError: No module named 'json'
root@0928d88fe04c:/zeek/bin# ./zeekctl
Traceback (most recent call last):
  File "./zeekctl", line 17, in <module>
    from ZeekControl.zeekctl import ZeekCtl, ZeekControlError, CommandSyntaxError
  File "/usr/local/zeek-4.0.0/lib/zeek/python/zeekctl/ZeekControl/zeekctl.py", line 8, in <module>
    from ZeekControl import lock
  File "/usr/local/zeek-4.0.0/lib/zeek/python/zeekctl/ZeekControl/lock.py", line 4, in <module>
    from ZeekControl import config
  File "/usr/local/zeek-4.0.0/lib/zeek/python/zeekctl/ZeekControl/config.py", line 14, in <module>
    from .state import SqliteState
  File "/usr/local/zeek-4.0.0/lib/zeek/python/zeekctl/ZeekControl/state.py", line 1, in <module>
    import json
ModuleNotFoundError: No module named 'json'

My docker-compose image

# ---------------------------------------------------------------------------------------------------------
#       zeek  docker-compose exec zeek sh
# ---------------------------------------------------------------------------------------------------------
  zeek:
    image: broplatform/bro:${BRO_VERSION}
    container_name: zeek
    restart: on-failure
    stdin_open: true # docker run -i
    tty: true        # docker run -t
    links:
      - filebeat
    volumes:
      - ./pcap:/pcap
      - ./zeek/local.zeek:/zeek/share/zeek/site/local.zeek
    # command: 
    #   - sudo zeekctl deploy
    networks:
      - elastic
JustinAzoff commented 3 years ago

using zeekctl deploy like that in docker is never going to work right. You either just want to set the command to something like

zeek -i en0 local

or use https://docs.zeek.org/en/master/frameworks/supervisor.html#supervised-cluster-example to run a cluster using the new supervision framework.

0xxon commented 3 years ago

we still should do something about zeekctl in the container. Either build Zeek without it - or make sure that the required dependencies for it are installed in the container.

ghost commented 3 years ago

I simply added load json in order to have logs in json format and not tsv. After that i had to deploy the new config, hence zeekctl deploy.

JustinAzoff commented 3 years ago

You do not need to run zeekctl deploy.

I will work on just removing zeekctl from the containers, it isn't needed and it will never work right.

ghost commented 3 years ago

How can I deploy this then?

JustinAzoff commented 3 years ago

You're not running a cluster, there's nothing to deploy. Just run zeek.