[Bro] Broker coding question

[Jon Siwek]

Yeah, that will be good if you can suggest a place where it would have
helped (others have indeed run into it already).  Note that it's not
just Broker / remote-communication that needs to obey this event
naming restriction, it's event handling/dispatching in general.

- Jon

On Thu, May 24, 2018 at 9:47 AM, Mike Dopheide <dopheide at gmail.com> wrote:
> Ah, thanks.  I knew I was missing something silly and I feel like others
> will run into this as well.  What do you think about reflecting that in the
> Broker docs?  I'm happy to make those changes and submit a pull request.
>
> -Dop
>
> On Wed, May 23, 2018 at 10:08 PM, Jon Siwek <jsiwek at corelight.com> wrote:
>>
>> On Wed, May 23, 2018 at 3:54 PM, Mike Dopheide <dopheide at gmail.com> wrote:
>> > When I run this and then check with "broctl print Dop::bourbon", all I
>> > ever
>> > see is Eagle Rare, none of the published events appear to make it into
>> > the
>> > set.
>>
>> You're running into a longstanding inconsistency in the way Bro
>> resolves event identifiers [1], which was also a source of confusion
>> before Broker.
>>
>> A general rule to follow when using event names in Bro is: if you
>> define it inside a module/namespace, then just always use that
>> namespace scoping when referring to the event name, so try replacing
>> all references to "manager_to_workers" in your script with
>> "Dop::manager_to_workers".
>>
>> Another thing to note about that script is that a cluster will start
>> worker nodes after the manager node, so I expect only the scheduled
>> "Elijah Craig" event to consistently reach workers.  Since all the
>> other events happen at bro_init() time (or very close to it), the
>> worker has not yet connected.
>>
>> You should also notice that dispatching via "event" will still call
>> any local event handlers as it did before, but Broker::publish will
>> not.
>>
>> - Jon
>>
>> [1] https://bro-tracker.atlassian.net/browse/BIT-71
>
>