[Bro-Dev] Broker data layouts
Robin Sommer
robin at corelight.com
Wed Aug 22 07:54:14 PDT 2018
On Tue, Aug 21, 2018 at 14:05 -0500, Jonathan Siwek wrote:
> Though the Broker data corresponding to log entry content is also
> opaque at the moment (I recall that was maybe for performance or
> message volume optimization),
Yeah, but generally this is something I could see opening up. The log
structure is pretty straight-forward and self-describing, it'd be
mostly a matter of clean up and documentation to make that directly
accessible to external consumers I think. Events, on the other hands,
are semantically tied very closely to the scripts generating them, and
also much more diverse so that self-description doesn't really seem
feasible/useful. Republishing a relevant subset certainly sounds
better for that; or, if it's really a bulk feed that's desired, some
out-of-band mechanism to convey the schema information somehow.
Robin
--
Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com
More information about the bro-dev
mailing list