policy/frameworks/management/agent/config.zeek

Management::Agent

Configuration settings for a cluster agent.

Namespace

Management::Agent

Imports

base/misc/installation.zeek, policy/frameworks/management, policy/frameworks/management/controller/config.zeek

Summary

Redefinable Options

Management::Agent::archive_cmd: string &redef

The archival command.

Management::Agent::archive_dir: string &redef

The destination interval for archived logs.

Management::Agent::archive_interval: interval &redef

The archival interval to use.

Management::Agent::archive_logs: bool &redef

Whether the agent should periodically invoke zeek-archiver to finalize logs.

Management::Agent::controller: Broker::NetworkInfo &redef

The network coordinates of the controller.

Management::Agent::default_port: port &redef

The fallback listen port if Management::Agent::listen_port remains empty.

Management::Agent::directory: string &redef

An optional working directory for the agent.

Management::Agent::listen_address: string &redef

The network address the agent listens on.

Management::Agent::listen_port: string &redef

The network port the agent listens on.

Management::Agent::name: string &redef

The name this agent uses to represent the cluster instance it manages.

Management::Agent::stderr_file: string &redef

Agent stderr log configuration.

Management::Agent::stdout_file: string &redef

Agent stdout log configuration.

Management::Agent::topic_prefix: string &redef

The agent’s Broker topic prefix.

Functions

Management::Agent::endpoint_info: function

Returns a Broker::EndpointInfo record for this instance.

Management::Agent::get_name: function

Returns the effective name of this agent.

Management::Agent::instance: function

Returns a Management::Instance describing this instance (its agent name plus listening address/port, as applicable).

Detailed Interface

Redefinable Options

Management::Agent::archive_cmd
Type

string

Attributes

&redef

Default

""

The archival command. When empty, defaults to the zeek-archiver installed with the Zeek distribution. Whatever the command, the agent will invoke it like zeek-archiver, so take a look at its command-line arguments if you’re planning to put in place a substitute. Archival happens from the Log::default_rotation_dir to Management::Agent::archive_dir.

Management::Agent::archive_dir
Type

string

Attributes

&redef

Default

"/usr/local/zeek/logs"

The destination interval for archived logs.

Management::Agent::archive_interval
Type

interval

Attributes

&redef

Default

0 secs

The archival interval to use. When 0, it defaults to the log rotation interval.

Management::Agent::archive_logs
Type

bool

Attributes

&redef

Default

T

Whether the agent should periodically invoke zeek-archiver to finalize logs.

Management::Agent::controller
Type

Broker::NetworkInfo

Attributes

&redef

Default
{
   address="127.0.0.1"
   bound_port=2150/tcp
}

The network coordinates of the controller. By default, the agent connects locally to the controller at its default port. Assigning a Broker::NetworkInfo record with IP address “0.0.0.0” means the controller should instead connect to the agent. If you’d like to use that mode, make sure to set Management::Agent::listen_address and Management::Agent::listen_port as needed.

Management::Agent::default_port
Type

port

Attributes

&redef

Default

2151/tcp

The fallback listen port if Management::Agent::listen_port remains empty.

Management::Agent::directory
Type

string

Attributes

&redef

Default

""

An optional working directory for the agent. Agent and controller currently only log locally, not via the Zeek cluster’s logger node. This means that if multiple agents and/or controllers work from the same directory, output may get garbled. When not set, defaults to a directory named after the agent (as per its get_name() result).

Management::Agent::listen_address
Type

string

Attributes

&redef

Default

""

The network address the agent listens on. This only takes effect if the agent isn’t configured to connect to the controller (see Management::Agent::controller). By default this uses the value of the ZEEK_AGENT_ADDR environment variable, but you may also redef to a specific value. When empty, the implementation falls back to Management::default_address.

Management::Agent::listen_port
Type

string

Attributes

&redef

Default

""

The network port the agent listens on. Counterpart to Management::Agent::listen_address, defaulting to the ZEEK_AGENT_PORT environment variable.

Management::Agent::name
Type

string

Attributes

&redef

Default

""

The name this agent uses to represent the cluster instance it manages. Defaults to the value of the ZEEK_AGENT_NAME environment variable. When that is unset and you don’t redef the value, the implementation defaults to “agent-<hostname>”.

Management::Agent::stderr_file
Type

string

Attributes

&redef

Default

"stderr"

Agent stderr log configuration. Like Management::Agent::stdout_file, but for the stderr stream.

Management::Agent::stdout_file
Type

string

Attributes

&redef

Default

"stdout"

Agent stdout log configuration. If the string is non-empty, Zeek will produce a free-form log (i.e., not one governed by Zeek’s logging framework) in the agent’s working directory. If left empty, no such log results.

Note that the agent also establishes a “proper” Zeek log via the Management::Log module.

Management::Agent::topic_prefix
Type

string

Attributes

&redef

Default

"zeek/management/agent"

The agent’s Broker topic prefix. For its own communication, the agent suffixes this with “/<name>”, based on Management::Agent::get_name.

Functions

Management::Agent::endpoint_info
Type

function () : Broker::EndpointInfo

Returns a Broker::EndpointInfo record for this instance. Similar to Management::Agent::instance, but with slightly different data format.

Management::Agent::get_name
Type

function () : string

Returns the effective name of this agent.

Management::Agent::instance
Type

function () : Management::Instance

Returns a Management::Instance describing this instance (its agent name plus listening address/port, as applicable).