Re: [Bro-Dev] Broker data layouts
On Fri, Aug 24, 2018 at 16:32 +0200, Matthias Vallentin wrote: > It sounds like this is critical also for regular operation: Agree. Right now a newly connecting peer gets a round of explicit LogCreates, but that's probably not the best way forward for larger topologies. > is it currently impossible to parse Bro logs with Broker, because all > logs come in the LogWrite message, wich is a binary blob? Correct. (This was different at first, but the switch was necessary for performance. It's waiting for a better solution at this point.) > In other words, can Broker currently be used if one writes a Bro > script that publishes plain events (message type 1 in bro.hh)? Yes to that. Non-Bros can exchange events (assuming they know the schema), but not logs. Robin -- Robin Sommer * Corelight, Inc. * ro...@corelight.com * www.corelight.com ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re: [Bro-Dev] Broker data layouts
> I don't really see a way around that without substantially increasing > volume. We could send LogCreate updates regularly, so that it's easier > to synchronize with an ongoing stream. It sounds like this is critical also for regular operation: (1) when an endpoint bootstraps slowly and the LogCreate message has already been sent, it doesn't know what to do, and (2) when an endpoint crashes and comes back, it may have lost the state from the initial LogCreate. That said, I want to make sure I understood you correctly: is it currently impossible to parse Bro logs with Broker, because all logs come in the LogWrite message, wich is a binary blob? It sounds like that the topic /bro/logs gets the LogCreate and LogWrite messages. In other words, can Broker currently be used if one writes a Bro script that publishes plain events (message type 1 in bro.hh)? Matthias ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
