capture_loss.log and reporter.log
Zeek produces several logs that tell administrators how well Zeek is managing its analysis and reporting on network traffic.
This capture_loss.log
reports analysis of missing traffic. Zeek bases
its conclusions on analysis of TCP sequence numbers. When it detects a “gap,”
it assumes that the missing traffic corresponds to traffic loss.
The reporter.log
reports internal warnings and errors. Zeek generates
these based on how it is handling traffic and computing requirements.
Details on the format of each log appears in CaptureLoss::Info
and Reporter::Info
.
capture_loss.log
The following is an example of entries in a capture_loss.log
:
{
"ts": "2021-01-04T00:04:24.688236Z",
"ts_delta": 900.0000550746918,
"peer": "so16-enp0s8-1",
"gaps": 41,
"acks": 9944,
"percent_lost": 0.412308930008045
}
{
"ts": "2021-01-04T00:19:24.688265Z",
"ts_delta": 900.0000290870667,
"peer": "so16-enp0s8-1",
"gaps": 9,
"acks": 8530,
"percent_lost": 0.10550996483001172
}
{
"ts": "2021-01-04T00:34:24.688449Z",
"ts_delta": 900.0001838207245,
"peer": "so16-enp0s8-1",
"gaps": 0,
"acks": 52019,
"percent_lost": 0
}
{
"ts": "2021-01-04T00:49:24.688552Z",
"ts_delta": 900.0001029968262,
"peer": "so16-enp0s8-1",
"gaps": 0,
"acks": 108863,
"percent_lost": 0
}
In these logs, capture loss never exceeded 1%. For example, when Zeek reports
0.412308930008045
, that means 0.4123% capture loss, not 41.23% capture
loss. In other words, this sensor is doing well capturing the traffic on the
link it monitors (a small amount of loss is tolerable).
reporter.log
The following is an example entries in the reporter.log
:
{
"ts": "2021-01-04T01:15:02.622164Z",
"level": "Reporter::INFO",
"message": "received termination signal",
"location": ""
}
{
"ts": "2021-01-04T01:19:15.713689Z",
"level": "Reporter::INFO",
"message": "BPFConf filename set: /etc/nsm/so16-enp0s8/bpf-bro.conf (logger)",
"location": "/opt/bro/share/zeek/securityonion/./bpfconf.zeek, line 81"
}
{
"ts": "2021-01-04T01:19:22.786812Z",
"level": "Reporter::INFO",
"message": "BPFConf filename set: /etc/nsm/so16-enp0s8/bpf-bro.conf (proxy)",
"location": "/opt/bro/share/zeek/securityonion/./bpfconf.zeek, line 81"
}
The first message refers to Zeek receiving a termination signal. The second two messages refer to Zeek setting a file for configuring Berkeley Packet Filters.
Conclusion
The capture_loss.log
and reporter.log
files are helpful when
administrators need to understand how their Zeek deployment is performing. Keep
an eye on the capture_loss.log
to keep the performance within an
acceptable level.