metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zeolla@GMail.com" <zeo...@gmail.com>
Subject Re: [jira] [Created] (METRON-348) bro-plugin-kafka is missing an important update
Date Sun, 24 Jul 2016 23:57:40 GMT
Personally, I would always default to using the tool provided by a sensor's
development team to do a specific task.  Maybe I'm missing something here,
but to me this clearly seems to be the best method to pull logs in from
bro.  Is there something else that you think would be better in this
situation?

Things would mostly stay the same Metron after this change, since this fix
is for thread management on the bro sensor side, however it is something
currently being provided through Metron in order to get data to Metron
which I think is important and a good thing to try to make as easy as
possible.

Regarding the license, it looks like this is licensed
<https://github.com/bro/bro-plugins/blob/master/kafka/COPYING> under the 3
clause BSD license, which appears to be fine
<http://www.apache.org/legal/resolved.html#category-a>, but IANAL.

Jon

On Sun, Jul 24, 2016 at 1:59 PM David Lyle <dlyle65535@gmail.com> wrote:

> I guess what I'm trying to understand is how the patch you pointed to
> changes the behavior in Metron. That is, if we only grab http and dns and
> point to a single topic, do we need it?
>
> Besides that, we seem to have a licensing issue. The same code in the Bro
> project is not Apache licensed. That seems like an issue.
>
>
>
> On Sunday, July 24, 2016, Jon Zeolla (JIRA) <jira@apache.org> wrote:
>
> >
> >     [
> >
> https://issues.apache.org/jira/browse/METRON-348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15391089#comment-15391089
> > ]
> >
> > Jon Zeolla commented on METRON-348:
> > -----------------------------------
> >
> > But then Ansible would be pulling down their entire bro/bro-plugins repo,
> > including a bunch of plugins that aren't that useful with out-of-the-box
> > Metron.  It would still be helpful for bro to have a branch for each
> plugin
> > (or a repo for each, but that seems less likely), and then reference the
> > repo/branch for their kafka plugin in the Ansible task or in the Metron
> > code base (whichever we decide on).  Of course a change on
> bro/bro-plugins
> > isn't required, or even that important because it is a somewhat small
> repo,
> > but I think it's worth it to wait and see what their response will be.
> >
> > Personally, I find it nice that this code is pointed to in the metron
> > repo, but I can see an argument against it.  My biggest concern is
> > providing outdated code in Metron - hence my resistance to simply update
> > what's there with a copy/paste.
> >
> > There shouldn't have to be any updates to the existing parsers.  With
> this
> > plugin you specify a topic_name to send to, then all of the logs will go
> to
> > that single topic.  It is only unique per bro log if you leave topic_name
> > undefined.  If you only want the HTTP and DNS logs, then you just set
> > `redef Kafka::logs_to_send = set(HTTP::LOG, DNS::LOG);` in your
> local.bro.
> >
> > > bro-plugin-kafka is missing an important update
> > > -----------------------------------------------
> > >
> > >                 Key: METRON-348
> > >                 URL: https://issues.apache.org/jira/browse/METRON-348
> > >             Project: Metron
> > >          Issue Type: Bug
> > >            Reporter: Jon Zeolla
> > >             Fix For: 0.2.1BETA
> > >
> > >   Original Estimate: 2h
> > >  Remaining Estimate: 2h
> > >
> > > Metron's bro-plugin-kafka (
> >
> https://github.com/apache/incubator-metron/tree/master/metron-sensors/bro-plugin-kafka
> )
> > is missing an important update (
> >
> https://github.com/bro/bro-plugins/commit/b9f1f35415cb0db065348da0a5043a8353b4a0a8
> ).
> > I have opened a ticket with the bro devs in order to seek a long term
> > resolution to this issue (https://github.com/bro/bro-plugins/issues/31).
> > > My suggestion was to have the bro team update the bro/bro-plugins repo
> > to turn folders (plugins) into individual branches so that they could be
> > referenced and updated easily in Metron and other projects as a
> submodule.
> > I was going to wait to hear back before filing a PR, but I'm not against
> a
> > short term fix of simply updating kafka/src/KafkaWriter.cc and
> > kafka/src/KafkaWriter.h.
> >
> >
> >
> > --
> > This message was sent by Atlassian JIRA
> > (v6.3.4#6332)
> >
>
-- 

Jon

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message