policy/frameworks/management/agent/config.zeek
- Management::Agent
Configuration settings for a cluster agent.
- Namespace
Management::Agent
- Imports
base/misc/installation.zeek, policy/frameworks/management, policy/frameworks/management/controller/config.zeek
Summary
Redefinable Options
The archival command. |
|
The destination interval for archived logs. |
|
The archival interval to use. |
|
Whether the agent should periodically invoke zeek-archiver to finalize logs. |
|
The network coordinates of the controller. |
|
The fallback listen port if |
|
An optional working directory for the agent. |
|
The network address the agent listens on. |
|
The network port the agent listens on. |
|
The name this agent uses to represent the cluster instance it manages. |
|
Agent stderr log configuration. |
|
Agent stdout log configuration. |
|
The agent’s Broker topic prefix. |
Functions
Returns a |
|
Returns the effective name of this agent. |
|
Returns a |
Detailed Interface
Redefinable Options
- Management::Agent::archive_cmd
-
The archival command. When empty, defaults to the zeek-archiver installed with the Zeek distribution. Whatever the command, the agent will invoke it like zeek-archiver, so take a look at its command-line arguments if you’re planning to put in place a substitute. Archival happens from the
Log::default_rotation_dir
toManagement::Agent::archive_dir
.
- Management::Agent::archive_dir
-
The destination interval for archived logs.
- Management::Agent::archive_interval
-
The archival interval to use. When 0, it defaults to the log rotation interval.
- Management::Agent::archive_logs
-
Whether the agent should periodically invoke zeek-archiver to finalize logs.
- Management::Agent::controller
- Type
- Attributes
- Default
{ address="127.0.0.1" bound_port=2150/tcp }
The network coordinates of the controller. By default, the agent connects locally to the controller at its default port. Assigning a
Broker::NetworkInfo
record with IP address “0.0.0.0” means the controller should instead connect to the agent. If you’d like to use that mode, make sure to setManagement::Agent::listen_address
andManagement::Agent::listen_port
as needed.
- Management::Agent::default_port
-
The fallback listen port if
Management::Agent::listen_port
remains empty.
- Management::Agent::directory
-
An optional working directory for the agent. Agent and controller currently only log locally, not via the Zeek cluster’s logger node. This means that if multiple agents and/or controllers work from the same directory, output may get garbled. When not set, defaults to a directory named after the agent (as per its get_name() result).
- Management::Agent::listen_address
-
The network address the agent listens on. This only takes effect if the agent isn’t configured to connect to the controller (see
Management::Agent::controller
). By default this uses the value of the ZEEK_AGENT_ADDR environment variable, but you may also redef to a specific value. When empty, the implementation falls back toManagement::default_address
.
- Management::Agent::listen_port
-
The network port the agent listens on. Counterpart to
Management::Agent::listen_address
, defaulting to the ZEEK_AGENT_PORT environment variable.
- Management::Agent::name
-
The name this agent uses to represent the cluster instance it manages. Defaults to the value of the ZEEK_AGENT_NAME environment variable. When that is unset and you don’t redef the value, the implementation defaults to “agent-<hostname>”.
- Management::Agent::stderr_file
-
Agent stderr log configuration. Like
Management::Agent::stdout_file
, but for the stderr stream.
- Management::Agent::stdout_file
-
Agent stdout log configuration. If the string is non-empty, Zeek will produce a free-form log (i.e., not one governed by Zeek’s logging framework) in the agent’s working directory. If left empty, no such log results.
Note that the agent also establishes a “proper” Zeek log via the
Management::Log
module.
- Management::Agent::topic_prefix
-
The agent’s Broker topic prefix. For its own communication, the agent suffixes this with “/<name>”, based on
Management::Agent::get_name
.
Functions
- Management::Agent::endpoint_info
- Type
Returns a
Broker::EndpointInfo
record for this instance. Similar toManagement::Agent::instance
, but with slightly different data format.
- Management::Agent::get_name
-
Returns the effective name of this agent.
- Management::Agent::instance
- Type
Returns a
Management::Instance
describing this instance (its agent name plus listening address/port, as applicable).