[Bro] Broker coding question
Jon Siwek
jsiwek at corelight.com
Wed May 23 20:08:05 PDT 2018
On Wed, May 23, 2018 at 3:54 PM, Mike Dopheide <dopheide at gmail.com> wrote:
> When I run this and then check with "broctl print Dop::bourbon", all I ever
> see is Eagle Rare, none of the published events appear to make it into the
> set.
You're running into a longstanding inconsistency in the way Bro
resolves event identifiers [1], which was also a source of confusion
before Broker.
A general rule to follow when using event names in Bro is: if you
define it inside a module/namespace, then just always use that
namespace scoping when referring to the event name, so try replacing
all references to "manager_to_workers" in your script with
"Dop::manager_to_workers".
Another thing to note about that script is that a cluster will start
worker nodes after the manager node, so I expect only the scheduled
"Elijah Craig" event to consistently reach workers. Since all the
other events happen at bro_init() time (or very close to it), the
worker has not yet connected.
You should also notice that dispatching via "event" will still call
any local event handlers as it did before, but Broker::publish will
not.
- Jon
[1] https://bro-tracker.atlassian.net/browse/BIT-71
More information about the Bro
mailing list