[Bro-Dev] Broker data layouts

Jon Siwek jsiwek at corelight.com
Thu Aug 23 08:01:02 PDT 2018

On Thu, Aug 23, 2018 at 8:32 AM Dominik Charousset
<dominik.charousset at haw-hamburg.de> wrote:

> I’m a bit hesitant to rely on this header at the moment, because of:
> /// A Bro log-write message. Note that at the moment this should be used only
> /// by Bro itself as the arguments aren't publicly defined.
> Is the API stable enough on your end at this point to make it public?

The comment is just pointing out what was said about the log message
formats being opaque at the moment.  It's expected only Bro will be
able to make sense of the content.

> Also, there are LogCreate and LogWrite events. The LogCreate has the `fields_data` (a list of field names?).

Yeah, there's some field info in there: names, types, optionality.
The type info in particularly doesn't seem good to treat as intended
for public consumption.

> Does that mean I need to receive the LogCreate even first to understand successive LogWrite events? That would mean I cannot parse logs that had their LogCreate event before I was able to subscribe to the topic.

Yeah, that's one problem, but a bigger issue is you can't parse
LogWrite because the content is a serial blob whose format is another
thing not intended for public consumption.

- Jon

More information about the bro-dev mailing list