Log Stream Types

Zeek
1

Hey Bro List,

I'm hoping someone could explain why
%prefix%bro/share/bro/base/frameworks/logging/main.bro (from an
installation) defines a Log::Stream type as a record of two any types
but bro/src/logging/Manager.cc (line 335 from Github) seems to enforce
Log::Stream types to consist of an event type. I'm curious to see if
it is possible to take immediate action upon a log line being ready
with a function or hook instead of having to wait for an event to be
handled.
Thanks,

-AK

2

I'm hoping someone could explain why
%prefix%bro/share/bro/base/frameworks/logging/main.bro (from an
installation) defines a Log::Stream type as a record of two any types
but bro/src/logging/Manager.cc (line 335 from Github) seems to enforce
Log::Stream types to consist of an event type.

That’s a hack. :slight_smile: It’s because internally, the $columns field is a TypeType type which allows us to specify a type as a value (I know, kind of weird). $ev is declared as any at script land because the type of an event includes the full parameter list but most events being provided to that field are of different types because they carry different record types in their parameter lists.

Those hacks have bugged us (me at least!) for quite a while and if there is anything that is constant in our community, it’s that change is constant and we’ll probably be back around to work on this issue again before long. :slight_smile:

I'm curious to see if
it is possible to take immediate action upon a log line being ready
with a function or hook instead of having to wait for an event to be
handled.

Typically when writing scripts that have specific requirements like it sounds like yours has, I don’t recommend that people hang off of the logging events. You are always going to run into problems like you are here. Find the event that you really want to hang your functionality off of and do that.

  .Seth

3

Ah! The typing makes sense now.

You’re right about the specific requirements, too. I’m looking for a way to feed log lines to a process similar to a Python generator. I’ve tried the Python broccoli bindings but wasn’t satisfied with type conversions. I’ll keep looking and post here if I find anything worth while.
Thanks for the insight, Seth!

-AK