[Bro] Broker coding question
Mike Dopheide
dopheide at gmail.com
Thu May 24 07:47:58 PDT 2018
Ah, thanks. I knew I was missing something silly and I feel like others
will run into this as well. What do you think about reflecting that in the
Broker docs? I'm happy to make those changes and submit a pull request.
-Dop
On Wed, May 23, 2018 at 10:08 PM, Jon Siwek <jsiwek at corelight.com> wrote:
> On Wed, May 23, 2018 at 3:54 PM, Mike Dopheide <dopheide at gmail.com> wrote:
> > When I run this and then check with "broctl print Dop::bourbon", all I
> ever
> > see is Eagle Rare, none of the published events appear to make it into
> the
> > set.
>
> You're running into a longstanding inconsistency in the way Bro
> resolves event identifiers [1], which was also a source of confusion
> before Broker.
>
> A general rule to follow when using event names in Bro is: if you
> define it inside a module/namespace, then just always use that
> namespace scoping when referring to the event name, so try replacing
> all references to "manager_to_workers" in your script with
> "Dop::manager_to_workers".
>
> Another thing to note about that script is that a cluster will start
> worker nodes after the manager node, so I expect only the scheduled
> "Elijah Craig" event to consistently reach workers. Since all the
> other events happen at bro_init() time (or very close to it), the
> worker has not yet connected.
>
> You should also notice that dispatching via "event" will still call
> any local event handlers as it did before, but Broker::publish will
> not.
>
> - Jon
>
> [1] https://bro-tracker.atlassian.net/browse/BIT-71
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180524/48308090/attachment.html
More information about the Bro
mailing list