[Bro] Log Stream Types

[Seth Hall]

On Apr 2, 2014, at 10:00 PM, anthony kasza <anthony.kasza at gmail.com> wrote:

> I'm hoping someone could explain why
> %prefix%bro/share/bro/base/frameworks/logging/main.bro (from an
> installation) defines a Log::Stream type as a record of two any types
> but bro/src/logging/Manager.cc (line 335 from Github) seems to enforce
> Log::Stream types to consist of an event type.

That’s a hack. :)  It’s because internally, the $columns field is a TypeType type which allows us to specify a type as a value (I know, kind of weird).  $ev is declared as any at script land because the type of an event includes the full parameter list but most events being provided to that field are of different types because they carry different record types in their parameter lists.

Those hacks have bugged us (me at least!) for quite a while and if there is anything that is constant in our community, it’s that change is constant and we’ll probably be back around to work on this issue again before long. :)

> I'm curious to see if
> it is possible to take immediate action upon a log line being ready
> with a function or hook instead of having to wait for an event to be
> handled.

Typically when writing scripts that have specific requirements like it sounds like yours has, I don’t recommend that people hang off of the logging events.  You are always going to run into problems like you are here.  Find the event that you really want to hang your functionality off of and do that.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140409/6ff5e102/attachment.bin