On Fri, Aug 24, 2018 at 16:32 +0200, Matthias Vallentin wrote:
> It sounds like this is critical also for regular operation:
Agree. Right now a newly connecting peer gets a round of explicit
LogCreates, but that's probably not the best way forward for larger
topologies.
> is it currently impossible to parse Bro logs with Broker, because all
> logs come in the LogWrite message, wich is a binary blob?
Correct. (This was different at first, but the switch was necessary
for performance. It's waiting for a better solution at this point.)
> In other words, can Broker currently be used if one writes a Bro
> script that publishes plain events (message type 1 in bro.hh)?
Yes to that. Non-Bros can exchange events (assuming they know the
schema), but not logs.
Robin
--
Robin Sommer * Corelight, Inc. * ro...@corelight.com * www.corelight.com
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
