[Bro-Dev] #579: "Raw" logging writer (was: Syslog logging writer)

[Bro Tracker]

#579: "Raw" logging writer
----------------------+------------------------
  Reporter:  seth     |      Owner:
      Type:  Problem  |     Status:  new
  Priority:  High     |  Milestone:  Bro2.2
 Component:  Bro      |    Version:  git/master
Resolution:           |   Keywords:
----------------------+------------------------
Description changed by seth:

Old description:

> Martin has completely convinced me of the need for this.  I don't know
> about timeline we should put on it though.  The one thought I have about
> it is that it needs to use TCP due to extremely long lines that Bro logs
> tend to have.  I think it would be ok for it to have the same output
> rendering that the LogAscii writer has.

New description:

 This was formerly a ticket about creating syslog logging writer, but I
 think we found a better and more general approach in a "raw" writer.  The
 raw writer would abandon the normal tab separated output from the Ascii
 writer and instead would be based on a templating format passed through
 the config filter field.  There should also be options for sending the
 formatted data to files, sockets, and syslog.

 This writer would open several doors for us:

   * Direct integration from script-land with ELSA.
   * Functional replacement for PRADS in script-land with integration into
 Sguil.
   * Direct script-land integration with the metrics framework and
 Graphite.

 Here is a made up example of creating a metrics filter for sending data to
 Graphite:

 {{{
 Log::add_filter(Metrics::LOG, [$name="graphite",
                                $writer=Log::WRITER_RAW,
                                $path="tcp://1.2.3.4:2003/",
                                $config = table(["fmt"] = "{{metric}}
 {{value}} {{ts}}")]);
 }}}

--

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/579#comment:3>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker