[Bro-Dev] New logging architecture

Gilbert Clark gc355804 at ohio.edu
Fri Jul 1 16:38:40 PDT 2011 

Hey folks:

I'm working on building threading into the logging framework in parallel 
with the work I'm doing on DataSeries.  I believe I have a plan, and was 
hoping to get some input from other folks on the list.

At the moment, a log message:

*) Is generated deep within Bro, eventually finding its way to LogMgr::Write
*) In LogMgr::Write, the following happens:
    > Checks that an appropriate LogMgr::Stream exists for the writer
    > Checks that any relevant LogWriter has been properly initialized
    > Applies any necessary filters
*) The log message is turned into a LogVal **
    > In the case of a remote filter, the LogVal ** is spirited away to 
serializations unknown
    > In the case of a local filter, the LogVal ** is passed along to 
the appropriate LogWriter::Write for processing.

So, to change this to support threading, I was planning to turn 
LogMgr::Stream into a self-contained object with two 0mq message-passing 
sockets attached:

*) One write-only (PUSH) 0mq socket created by the parent LogMgr, that 
could be used to send messages to the Stream object (for example, 
something like LOG_WRITE)
*) One read-only (PULL) 0mq socket created by the child Stream object, 
which would be used to receive the messages the LogMgr sent.

After the LogMgr::Stream was created, the PUSH 0mq socket would be the 
only means with which to communicate with it (in order to avoid needing 
evil things like semaphores / condition variables).  This means that the 
LogMgr would need to generate and pass messages to the LogMgr::Stream 
object.

Thus, the LogWriter initialization bit and the LogWriter logging bit 
would both happen within the context of the Stream thread (and as a 
result of writing an appropriate message to the LogMgr::Stream's PUSH 
socket).

I figure the LogMgr would need to be able to generate (at a minimum) the 
following types of messages:

*) EnableStream
*) DisableStream
*) StreamInit
*) StreamFinish
*) RotateLog
*) LogMessage

(Note: as a shortcut, we could probably build a fast-track 
LogMessageInProc type that passed a pointer to the data to log, rather 
than encapsulating everything when passing within a single process... 
but I figure that's an optimization, and could probably be dealt with 
later if it proves to be necessary).

Anyway, I figure that, after this point, we'd be close to having an 
entirely self-contained logging infrastructure; so long as the message 
format was standardized (and I do have a rough draft of a message format 
which I'd be happy to send out, assuming the above isn't too confusing 
and seems technically sound), anything that spoke the correct message 
format could act as a logger for Bro.

So. . . thoughts?  Does that make sense?  What's bad / broken about 
doing things this way?

Thanks,
Gilbert Clark

More information about the bro-dev mailing list