Current State of AffairsA near-term item on the Zeek Roadmap is to provide an alternative, and eventual successor, to BroControl. For context on why that's the case, there's the following pain points:
- Process supervision in an external tool/process like BroControl is flaky.
- It's awkward to develop and test new scripts that are destined for production environments.
- Atypical system/service/container management and administration.
BroControl evolved from a prior tool that was originally built to satisfy a particular research use-case, not necessarily modern deployments. That's expected, coming from such an early point in time, however, with a large user-base now depending on Zeek for production use, it's wise to design a new tool that, from the start, takes into account the wider community needs.
The PlanThere's been a brief round of internal discussion already with the following design and implementation notes produced from that:
Zeek Supervisor Design Doc
To summarize the goal: we want to make the main Zeek/Bro process the point of entry for deployments and allow just running the Zeek/Bro process to create a cluster deployment comparable to what BroControl would currently configure.
We haven't started implementing any of this yet in order to capture and respond to community feedback, so please get in touch with any you may have. The mailing list (firstname.lastname@example.org) is a good place to discuss.