[Bro-Dev] Broker data layouts
Matthias Vallentin
vallentin at icir.org
Fri Aug 24 07:32:24 PDT 2018
> I don't really see a way around that without substantially increasing
> volume. We could send LogCreate updates regularly, so that it's easier
> to synchronize with an ongoing stream.
It sounds like this is critical also for regular operation: (1) when
an endpoint bootstraps slowly and the LogCreate message has already
been sent, it doesn't know what to do, and (2) when an endpoint
crashes and comes back, it may have lost the state from the initial
LogCreate.
That said, I want to make sure I understood you correctly: is it
currently impossible to parse Bro logs with Broker, because all logs
come in the LogWrite message, wich is a binary blob? It sounds like
that the topic /bro/logs gets the LogCreate and LogWrite messages.
In other words, can Broker currently be used if one writes a Bro
script that publishes plain events (message type 1 in bro.hh)?
Matthias
More information about the bro-dev
mailing list