[Bro] Log Stream Types

anthony kasza anthony.kasza at gmail.com
Wed Apr 9 10:10:11 PDT 2014


Ah! The typing makes sense now.

You're right about the specific requirements, too. I'm looking for a way to
feed log lines to a process similar to a Python generator. I've tried the
Python broccoli bindings but wasn't satisfied with type conversions. I'll
keep looking and post here if I find anything worth while.
Thanks for the insight, Seth!

-AK
On Apr 9, 2014 6:34 AM, "Seth Hall" <seth at icir.org> wrote:

>
> On Apr 2, 2014, at 10:00 PM, anthony kasza <anthony.kasza at gmail.com>
> wrote:
>
> > I'm hoping someone could explain why
> > %prefix%bro/share/bro/base/frameworks/logging/main.bro (from an
> > installation) defines a Log::Stream type as a record of two any types
> > but bro/src/logging/Manager.cc (line 335 from Github) seems to enforce
> > Log::Stream types to consist of an event type.
>
> That's a hack. :)  It's because internally, the $columns field is a
> TypeType type which allows us to specify a type as a value (I know, kind of
> weird).  $ev is declared as any at script land because the type of an event
> includes the full parameter list but most events being provided to that
> field are of different types because they carry different record types in
> their parameter lists.
>
> Those hacks have bugged us (me at least!) for quite a while and if there
> is anything that is constant in our community, it's that change is constant
> and we'll probably be back around to work on this issue again before long.
> :)
>
> > I'm curious to see if
> > it is possible to take immediate action upon a log line being ready
> > with a function or hook instead of having to wait for an event to be
> > handled.
>
> Typically when writing scripts that have specific requirements like it
> sounds like yours has, I don't recommend that people hang off of the
> logging events.  You are always going to run into problems like you are
> here.  Find the event that you really want to hang your functionality off
> of and do that.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140409/45565122/attachment.html 


More information about the Bro mailing list