Broker coding question

dopheide · May 23, 2018, 8:54pm

Maybe jumping the gun a little here, but I’ve started playing with the new Broker functions a bit and run into an issue that’s probably just lack of understanding on my part. I’ve crafted a policy specific for this discussion.

Basically, I’m trying to send data from the manager to my workers and it’s not showing up as I’d expect. In this policy you’ll see a couple different ways I thought were right based on the documentation and looking at other examples. One was using Broker::auto_publish so any call to my ‘manager_to_workers’ event should go out automatically. The other is a straight Broker::publish.

When I run this and then check with “broctl print Dop::bourbon”, all I ever see is Eagle Rare, none of the published events appear to make it into the set.

Thanks,
Dop

broker-when.bro (878 Bytes)

Jon_Siwek · May 24, 2018, 3:08am

You're running into a longstanding inconsistency in the way Bro
resolves event identifiers [1], which was also a source of confusion
before Broker.

A general rule to follow when using event names in Bro is: if you
define it inside a module/namespace, then just always use that
namespace scoping when referring to the event name, so try replacing
all references to "manager_to_workers" in your script with
"Dop::manager_to_workers".

Another thing to note about that script is that a cluster will start
worker nodes after the manager node, so I expect only the scheduled
"Elijah Craig" event to consistently reach workers. Since all the
other events happen at bro_init() time (or very close to it), the
worker has not yet connected.

You should also notice that dispatching via "event" will still call
any local event handlers as it did before, but Broker::publish will
not.

- Jon

[1] https://bro-tracker.atlassian.net/browse/BIT-71

dopheide · May 24, 2018, 2:47pm

Ah, thanks. I knew I was missing something silly and I feel like others will run into this as well. What do you think about reflecting that in the Broker docs? I’m happy to make those changes and submit a pull request.

-Dop

Jon_Siwek · May 24, 2018, 3:15pm

Yeah, that will be good if you can suggest a place where it would have
helped (others have indeed run into it already). Note that it's not
just Broker / remote-communication that needs to obey this event
naming restriction, it's event handling/dispatching in general.

- Jon

Topic		Replies	Views
some Broker questions Development development	2	71	May 6, 2022
Module prefix in sending and receiving Broker events Development development	8	155	May 6, 2022
- BROKER - send messages from bro workers to python listener Zeek	2	106	May 6, 2022
get_event_peer() with Broker Development development	6	77	May 6, 2022
How to use Broker::Data in an event handler? Development development	5	118	May 6, 2022

Broker coding question

Related topics