[Bro] log streams in a bro cluster

[Luis Martin Liras]

THAT WORKED!!!

Thank you Justin!

but... in this case... what is local-worker.bro for?. I understood that 
local-worker is what you are running in the workers... Actually the 
linux process still uses local-worker.bro (which is empty...):

  /usr/local/bro/bin/bro -i eth0 -U .status -p broctl -p broctl-live -p 
local -p worker-1 local.bro broctl base/frameworks/cluster 
*local-worker.bro* broctl/auto


Thank you Justin, I would never have figured out this was the problem...


On 09/06/16 18:58, Azoff, Justin S wrote:
>> On Jun 9, 2016, at 9:48 AM, Luis Martin Liras <martin.liras at gmail.com> wrote:
>> 2.- local-worker.bro:
>>
>> event bro_init() &priority=5
>> {
>> ...
>>        Log::create_stream(myprot::MY-PROT_LOG, [$columns=myprot_info, $path="myprot"]);
>>         Log::create_stream(myprot::MY-PROT_WARN, [$columns=myprot_info,$path="warnings"]);
>>
>>         ...
>>
>> }
>>
>>
>> 3.- local-manager.bro
>>
> ...
>
> Ah!  the files you are putting things in is your problem. Take everything you put in local-worker.bro and local-manager.bro and put it into a script and load that script from local.bro
>
> When you use local-worker directly and call create_stream there then the manager knows nothing about about those log streams.
>
> Additionally, if that is where you are defining the notice types, that will break notices as well because when the notice reaches the manager it also has no idea what to do with it.
>
> There aren't many things that people do that actually belong in the local-worker or local-manger scripts, everything should almost always  just go in local.bro.  things like create_stream and NOTICE automatically do the right thing depending on what node it is ran on.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160610/dd974b21/attachment.html