[Bro-Dev] Broker::publish API
Robin Sommer
robin at corelight.com
Mon Aug 6 11:57:32 PDT 2018
On Fri, Aug 03, 2018 at 15:57 -0500, Jonathan Siwek wrote:
> Another use is hidden within Cluster::relay_rr():
Yeah, though at least from an API perspective this is different: The
caller gives relay_rr() only one topic to send to (indicator_topic).
It's then using a different topic internally to get it over to the
proxy first, but that feels more like an implementation detail. So in
that sense I would argue that this is not a use-case for the Broker
API letting users change the topic on relay. (I'm not saying that that
capability can't be useful, I'm just still looking for actual use
cases.)
I have another question about this specific case: we use relay_rr()
only for sending Intel::insert_indicator. Intel::remove_indicator gets
published normally through auto_publish(). Why the difference?
Robin
--
Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com
More information about the bro-dev
mailing list