metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From JonZeolla <...@git.apache.org>
Subject [GitHub] metron-bro-plugin-kafka pull request #2: DO NOT MERGE METRON-1304: Allow met...
Date Wed, 22 Nov 2017 20:44:01 GMT
Github user JonZeolla commented on a diff in the pull request:

    https://github.com/apache/metron-bro-plugin-kafka/pull/2#discussion_r152674806
  
    --- Diff: scripts/Bro/Kafka/logs-to-kafka.bro ---
    @@ -14,32 +14,37 @@
     #  See the License for the specific language governing permissions and
     #  limitations under the License.
     #
    -##! load this script to enable log output to kafka
    +
    +##! Load this script to enable log output to kafka
     
     module Kafka;
     
     export {
    +	## Specify which :bro:type:`Log::ID` to exclude from being sent to kafka.
     	##
    -	## which log streams should be sent to kafka?
    -	## example:
    -	##		redef Kafka::logs_to_send = set(Conn::Log, HTTP::LOG, DNS::LOG);
    +	## Example:  redef Kafka::logs_to_exclude = set(SSH::LOG);
    +	const logs_to_exclude: set[Log::ID] &redef;
    +
    +	## Specify which :bro:type:`Log::ID` to send to kafka.
     	##
    +	## Example:  redef Kafka::logs_to_send = set(Conn::Log, DNS::LOG);
     	const logs_to_send: set[Log::ID] &redef;
     }
     
     event bro_init() &priority=-5
     {
     	for (stream_id in Log::active_streams)
     	{
    -		if (stream_id in Kafka::logs_to_send)
    -		{
    -			local filter: Log::Filter = [
    -				$name = fmt("kafka-%s", stream_id),
    -				$writer = Log::WRITER_KAFKAWRITER,
    -				$config = table(["stream_id"] = fmt("%s", stream_id))
    -			];
    +		if ( stream_id in Kafka::logs_to_exclude ||
    +		    (|Kafka::logs_to_send| > 0 && stream_id !in Kafka::logs_to_send) )
    --- End diff --
    
    I was talking to a few people in the bro community about this and I'm hearing that people
mostly prefer an unset send_logs to send nothing.  What are your thoughts on that?  I would
prefer to send all by default, but it's not a huge deal to go either way for me.


---

Mime
View raw message