[Bro-Dev] Broker data store use case and questions

Azoff, Justin S jazoff at illinois.edu
Mon May 14 11:34:36 PDT 2018

> On May 14, 2018, at 10:12 AM, Jon Siwek <jsiwek at corelight.com> wrote:
> A short-lived cache, separate from the data store, still has problems like the above: there can be times where the local cache contains the key and the master store does not and so you may miss some (re)insertions.

I see what you mean.. I can almost see a solution involving using create_expire and expire_func to trigger a re-submit when the local cache expires, but that may cause the opposite problem.  This would mean that a record would be sent the first time it was seen and then at most once again N minutes after that.  If N minutes after that is 00:03 the entry would be logged on the following day even if it was not seen yet.  I suppose if the value in the cache table was the network_time of the last time seen that could used to fill in the HostInfo record.

Justin Azoff

More information about the bro-dev mailing list