On Thu, Aug 23, 2018 at 8:32 AM Dominik Charousset <dominik.charous...@haw-hamburg.de> wrote:
> I’m a bit hesitant to rely on this header at the moment, because of: > > /// A Bro log-write message. Note that at the moment this should be used only > /// by Bro itself as the arguments aren't publicly defined. > > Is the API stable enough on your end at this point to make it public? The comment is just pointing out what was said about the log message formats being opaque at the moment. It's expected only Bro will be able to make sense of the content. > Also, there are LogCreate and LogWrite events. The LogCreate has the > `fields_data` (a list of field names?). Yeah, there's some field info in there: names, types, optionality. The type info in particularly doesn't seem good to treat as intended for public consumption. > Does that mean I need to receive the LogCreate even first to understand > successive LogWrite events? That would mean I cannot parse logs that had > their LogCreate event before I was able to subscribe to the topic. Yeah, that's one problem, but a bigger issue is you can't parse LogWrite because the content is a serial blob whose format is another thing not intended for public consumption. - Jon _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
