[Bro-Dev] Broker data store use case and questions
Azoff, Justin S
jazoff at illinois.edu
Mon May 14 11:34:36 PDT 2018
> On May 14, 2018, at 10:12 AM, Jon Siwek <jsiwek at corelight.com> wrote:
> A short-lived cache, separate from the data store, still has problems like the above: there can be times where the local cache contains the key and the master store does not and so you may miss some (re)insertions.
I see what you mean.. I can almost see a solution involving using create_expire and expire_func to trigger a re-submit when the local cache expires, but that may cause the opposite problem. This would mean that a record would be sent the first time it was seen and then at most once again N minutes after that. If N minutes after that is 00:03 the entry would be logged on the following day even if it was not seen yet. I suppose if the value in the cache table was the network_time of the last time seen that could used to fill in the HostInfo record.
More information about the bro-dev