[Bro-Dev] Broker's remote logging (BIT-1784)

Robin Sommer robin at icir.org
Tue Jan 31 14:41:45 PST 2017

Taking from ticket to the mailing list as I'm looking for some input.

https://bro-tracker.atlassian.net/browse/BIT-1784 says:

> The change from the older communication code is that
> RemoteSerializer::ProcessLogWrite used to do
>     success = log_mgr->Write(id_val, writer_val, path, num_fields, val);
> Where bro_broker::Manager::Process uses
>     log_mgr->Write(stream_id->AsEnumVal(), columns->AsRecordVal());

The fact that RemoteSerializer and broker::Manager are calling
different Write() functions seems to be a broader issue: we get
different semantics that way. For RemoteSerializer, log events and log
filters run only on the originating nodes; those guys make all
decisions about what's getting logged exactly and they then send that
on to the manager, which just writes out the data it receives. With
Broker, however, both events and filters run (also) on the manager, so
that it's making its own decisions on what to record. The filters can
be different on the manager, and they will have access to different

I'm not sure what approach is better actually, I think the Broker
semantics can be both helpful and harmful, depending on use case.  In
any case, it's a change in semantics compacted to the old
communication system, and I'm not sure we want that.

I'm wondering if there's a reason that in the Broker case things
*have* to be this way. Is there something that prevents the Broker
manager from doing the same as the RemoteSerializer?


Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin

More information about the bro-dev mailing list