> I don't really see a way around that without substantially increasing > volume. We could send LogCreate updates regularly, so that it's easier > to synchronize with an ongoing stream.
It sounds like this is critical also for regular operation: (1) when an endpoint bootstraps slowly and the LogCreate message has already been sent, it doesn't know what to do, and (2) when an endpoint crashes and comes back, it may have lost the state from the initial LogCreate. That said, I want to make sure I understood you correctly: is it currently impossible to parse Bro logs with Broker, because all logs come in the LogWrite message, wich is a binary blob? It sounds like that the topic /bro/logs gets the LogCreate and LogWrite messages. In other words, can Broker currently be used if one writes a Bro script that publishes plain events (message type 1 in bro.hh)? Matthias _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev