Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 08:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
zeek/scripts/base/frameworks/notice/cluster.bro
Seth Hall aa9fdf38bb Clean up to cluster framework to make event handling clearer. 
- Fixed a bug where notices were being passed to proxies.
  This was a mistake and should greatly reduce load on
  many clusters.

- Cluster event regex variables renamed to:
  - Notice::manager2worker_events
  - Notice::manager2proxy_events
  - Notice::worker2manager_events
  - Notice::worker2proxy_events
  - Notice::proxy2manager_events
  - Notice::proxy2worker_events

- The default Notice::policy set is cleared for all cluster
  nodes except for managers to cause all default notice
  processing to occur on managers.  This should reduce load
  on workers slightly.
2011-10-04 11:57:50 -04:00

46 lines
1.3 KiB
Text
Raw Blame History

##! Implements notice functionality across clusters.
@load ./main
@load base/frameworks/cluster
module Notice;
# Define the event used to transport notices on the cluster.
global cluster_notice: event(n: Notice::Info);
redef Cluster::manager2worker_events += /Notice::begin_suppression/;
redef Cluster::worker2manager_events += /Notice::cluster_notice/;
@if ( Cluster::local_node_type() != Cluster::MANAGER )
# The notice policy is completely handled by the manager and shouldn't be
# done by workers or proxies to save time for packet processing.
redef policy = {};
event Notice::begin_suppression(n: Notice::Info)
{
suppressing[n$note, n$identifier] = n;
}
event Notice::notice(n: Notice::Info)
{
# Send the locally generated notice on to the manager.
event Notice::cluster_notice(n);
}
event bro_init() &priority=-3
{
# Workers and proxies need to disable the notice streams because notice
# events are forwarded directly instead of being logged remotely.
Log::disable_stream(Notice::LOG);
Log::disable_stream(Notice::POLICY_LOG);
Log::disable_stream(Notice::ALARM_LOG);
}
@endif
@if ( Cluster::local_node_type() == Cluster::MANAGER )
event Notice::cluster_notice(n: Notice::Info)
{
# Raise remotely received notices on the manager
NOTICE(n);
}
@endif
Reference in a new issue View git blame Copy permalink