[Bro-Dev] Broker data layouts
Robin Sommer
robin at corelight.com
Fri Aug 24 08:13:51 PDT 2018
On Fri, Aug 24, 2018 at 16:32 +0200, Matthias Vallentin wrote:
> It sounds like this is critical also for regular operation:
Agree. Right now a newly connecting peer gets a round of explicit
LogCreates, but that's probably not the best way forward for larger
topologies.
> is it currently impossible to parse Bro logs with Broker, because all
> logs come in the LogWrite message, wich is a binary blob?
Correct. (This was different at first, but the switch was necessary
for performance. It's waiting for a better solution at this point.)
> In other words, can Broker currently be used if one writes a Bro
> script that publishes plain events (message type 1 in bro.hh)?
Yes to that. Non-Bros can exchange events (assuming they know the
schema), but not logs.
Robin
--
Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com
More information about the bro-dev
mailing list