mirror of
https://github.com/zeek/zeek.git
synced 2025-10-03 15:18:20 +00:00
48 lines
1.3 KiB
Text
48 lines
1.3 KiB
Text
##! Implements notice functionality across clusters.
|
|
|
|
@load ./main
|
|
@load base/frameworks/cluster
|
|
|
|
module Notice;
|
|
|
|
export {
|
|
## This is the event used to transport notices on the cluster.
|
|
global cluster_notice: event(n: Notice::Info);
|
|
}
|
|
|
|
redef Cluster::manager2worker_events += /Notice::begin_suppression/;
|
|
redef Cluster::worker2manager_events += /Notice::cluster_notice/;
|
|
|
|
@if ( Cluster::local_node_type() != Cluster::MANAGER )
|
|
# The notice policy is completely handled by the manager and shouldn't be
|
|
# done by workers or proxies to save time for packet processing.
|
|
redef policy = {};
|
|
|
|
event Notice::begin_suppression(n: Notice::Info)
|
|
{
|
|
suppressing[n$note, n$identifier] = n;
|
|
}
|
|
|
|
event Notice::notice(n: Notice::Info)
|
|
{
|
|
# Send the locally generated notice on to the manager.
|
|
event Notice::cluster_notice(n);
|
|
}
|
|
|
|
event bro_init() &priority=-3
|
|
{
|
|
# Workers and proxies need to disable the notice streams because notice
|
|
# events are forwarded directly instead of being logged remotely.
|
|
Log::disable_stream(Notice::LOG);
|
|
Log::disable_stream(Notice::POLICY_LOG);
|
|
Log::disable_stream(Notice::ALARM_LOG);
|
|
}
|
|
@endif
|
|
|
|
@if ( Cluster::local_node_type() == Cluster::MANAGER )
|
|
event Notice::cluster_notice(n: Notice::Info)
|
|
{
|
|
# Raise remotely received notices on the manager
|
|
NOTICE(n);
|
|
}
|
|
@endif
|