main.zeek

Attributes:

from policy/frameworks/cluster/backend/zeromq/main.zeek

Default:

"zeek/cluster/logger"

Redefinition:

=:

zeek.cluster.logger

The topic name used for exchanging messages that are relevant to logger nodes in a cluster. Used with broker-enabled cluster communication.

Cluster::manager_is_logger 

Type:: bool
Attributes:: &redef
Default:: T

Indicates whether or not the manager will act as the logger and receive logs. This value should be set in the cluster-layout.zeek script (the value should be true only if no logger is specified in Cluster::nodes). Note that ZeekControl handles this automatically.

Cluster::manager_topic 

Type:

Attributes:

from policy/frameworks/cluster/backend/zeromq/main.zeek

Default:

"zeek/cluster/manager"

Redefinition:

=:

zeek.cluster.manager

The topic name used for exchanging messages that are relevant to manager nodes in a cluster. Used with broker-enabled cluster communication.

Cluster::node 

Type:: string
Attributes:: &redef
Default:: ""

This is usually supplied on the command line for each instance of the cluster that is started up.

Cluster::node_topic_prefix 

Type:: string
Attributes:: &redef
Default:: "zeek/cluster/node/"

The topic prefix used for exchanging messages that are relevant to a named node in a cluster. Used with broker-enabled cluster communication.

Cluster::nodeid_topic_prefix 

Type:: string
Attributes:: &redef
Default:: "zeek/cluster/nodeid/"

The topic prefix used for exchanging messages that are relevant to a unique node in a cluster. Used with broker-enabled cluster communication.

Cluster::nodes 

Type:: table [string] of Cluster::Node
Attributes:: &redef
Default:: {}

The cluster layout definition. This should be placed into a filter named cluster-layout.zeek somewhere in the ZEEKPATH. It will be automatically loaded if the CLUSTER_NODE environment variable is set. Note that ZeekControl handles all of this automatically. The table is typically indexed by node names/labels (e.g. “manager” or “worker-1”).

Cluster::proxy_topic 

Type:

Attributes:

from policy/frameworks/cluster/backend/zeromq/main.zeek

Default:

"zeek/cluster/proxy"

Redefinition:

=:

zeek.cluster.proxy

The topic name used for exchanging messages that are relevant to proxy nodes in a cluster. Used with broker-enabled cluster communication.

Cluster::retry_interval 

Type:: interval
Attributes:: &redef
Default:: 1.0 sec

Interval for retrying failed connections between cluster nodes. If set, the ZEEK_DEFAULT_CONNECT_RETRY (given in number of seconds) environment variable overrides this option.

Cluster::worker_topic 

Type:

Attributes:

from policy/frameworks/cluster/backend/zeromq/main.zeek

Default:

"zeek/cluster/worker"

Redefinition:

=:

zeek.cluster.worker

The topic name used for exchanging messages that are relevant to worker nodes in a cluster. Used with broker-enabled cluster communication.

Constants

Cluster::broadcast_topics 

Type:

set [string]

Default:

{
   "zeek/cluster/manager",
   "zeek/cluster/logger",
   "zeek/cluster/proxy",
   "zeek/cluster/worker"
}

A set of topic names to be used for broadcasting messages that are relevant to all nodes in a cluster. Currently, there is not a common topic to broadcast to, because enabling implicit Broker forwarding would cause a routing loop for this topic.

State Variables

Cluster::stores 

Type:: table [string] of Cluster::StoreInfo
Attributes:: &default = [name=<uninitialized>, store=<uninitialized>, master_node=, master=F, backend=Broker::MEMORY, options=[sqlite=[path=, synchronous=<uninitialized>, journal_mode=<uninitialized>, failure_mode=Broker::SQLITE_FAILURE_MODE_FAIL, integrity_check=F]], clone_resync_interval=10.0 secs, clone_stale_interval=5.0 mins, clone_mutation_buffer_interval=2.0 mins] &redef
Default:: {}

A table of cluster-enabled data stores that have been created, indexed by their name. This table will be populated automatically by Cluster::create_store, but if you need to customize the options related to a particular data store, you may redef this table. Calls to Cluster::create_store will first check the table for an entry of the same name and, if found, will use the predefined options there when setting up the store.

Types

Cluster::EndpointInfo 

Type:

id: string

network: Cluster::NetworkInfo

Information about a WebSocket endpoint.

Cluster::Event 

Type:

ev: any: The event handler to be invoked on the remote node.
args: vector of any: The arguments for the event.

An event instance for cluster pub/sub.

See Cluster::publish and Cluster::make_event.

Cluster::Info 

Type:

ts: time &log: The time at which a cluster message was generated.
node: string &log: The name of the node that is creating the log record.
message: string &log: A message indicating information about the cluster’s operation.

Attributes:

&log

The record type which contains the column fields of the cluster log.

Cluster::NamedNode 

Type:

Cluster::NetworkInfo 

name: string

node: Cluster::Node

Record to represent a cluster node including its name.

Type:

address: string: The IP address or hostname where the endpoint listens.
bound_port: port: The port where the endpoint is bound to.

Network information of an endpoint.

Cluster::Node 

Type:

node_type: Cluster::NodeType: Identifies the type of cluster node in this node’s configuration.
ip: addr: The IP address of the cluster node.
zone_id: string &default = "" &optional: If the ip field is a non-global IPv6 address, this field can specify a particular RFC 4007 zone_id.
p: port &default = 0/unknown &optional: The port that this node will listen on for peer connections. A value of 0/unknown means the node is not pre-configured to listen.
manager: string &optional: Name of the manager node this node uses. For workers and proxies.
id: string &optional: A unique identifier assigned to the node by the broker framework. This field is only set while a node is connected.
metrics_port: port &optional: The port used to expose metrics to Prometheus. Setting this in a cluster configuration will override the setting for Telemetry::metrics_port for the node.

Record type to indicate a node in a cluster.

Cluster::NodeType 

Type:

Cluster::NONE: A dummy node type indicating the local node is not operating within a cluster.

Cluster::CONTROL: A node type which is allowed to view/manipulate the configuration of other nodes in the cluster.

Cluster::LOGGER: A node type responsible for log management.

Cluster::MANAGER: A node type responsible for policy management.

Cluster::PROXY: A node type for relaying worker node communication and synchronizing worker node state.

Cluster::WORKER: The node type doing all the actual traffic analysis.

Types of nodes that are allowed to participate in the cluster configuration.

Cluster::StoreInfo 

Type:

Cluster::WebSocketServerOptions 

name: string &optional: The name of the data store.
store: opaque of Broker::Store &optional: The store handle.
master_node: string &default = Cluster::default_master_node &optional: The name of the cluster node on which the master version of the data store resides.
master: bool &default = F &optional: Whether the data store is the master version or a clone.
backend: Broker::BackendType &default = Cluster::default_backend &optional: The type of backend used for storing data.
options: Broker::BackendOptions &default = [sqlite=[path=, synchronous=<uninitialized>, journal_mode=<uninitialized>, failure_mode=Broker::SQLITE_FAILURE_MODE_FAIL, integrity_check=F]] &optional: Parameters used for configuring the backend.
clone_resync_interval: interval &default = Broker::default_clone_resync_interval &optional: A resync/reconnect interval to pass through to Broker::create_clone.
clone_stale_interval: interval &default = Broker::default_clone_stale_interval &optional: A staleness duration to pass through to Broker::create_clone.
clone_mutation_buffer_interval: interval &default = Broker::default_clone_mutation_buffer_interval &optional: A mutation buffer interval to pass through to Broker::create_clone.

Information regarding a cluster-enabled data store.

Type:

Cluster::WebSocketTLSOptions 

listen_host: string: The host address to listen on.
listen_port: port: The port the WebSocket server is supposed to listen on.
max_event_queue_size: count &default = Cluster::default_websocket_max_event_queue_size &optional: The maximum event queue size for this server.
tls_options: Cluster::WebSocketTLSOptions &default = [cert_file=<uninitialized>, key_file=<uninitialized>, enable_peer_verification=F, ca_file=, ciphers=] &optional: The TLS options used for this WebSocket server. By default, TLS is disabled. See also Cluster::WebSocketTLSOptions.

WebSocket server options to pass to Cluster::listen_websocket.

Type:

cert_file: string &optional: The cert file to use.
key_file: string &optional: The key file to use.
enable_peer_verification: bool &default = F &optional: Expect peers to send client certificates.
ca_file: string &default = "" &optional: The CA certificate or CA bundle used for peer verification. Empty will use the implementations’s default when enable_peer_verification is T.
ciphers: string &default = "" &optional: The ciphers to use. Empty will use the implementation’s defaults.

The TLS options for a WebSocket server.

If cert_file and key_file are set, TLS is enabled. If both are unset, TLS is disabled. Any other combination is an error.

Cluster::BackendTag

Type:

Cluster::CLUSTER_BACKEND_BROKER

Cluster::CLUSTER_BACKEND_BROKER_WEBSOCKET_SHIM

Cluster::CLUSTER_BACKEND_ZEROMQ

Cluster::EventSerializerTag

Type:

Cluster::EVENT_SERIALIZER_BROKER_BIN_V1

Cluster::EVENT_SERIALIZER_BROKER_JSON_V1

Cluster::LogSerializerTag

Type: