metron-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [metron-bro-plugin-kafka] vikgmdev commented on a change in pull request #47: METRON-2357: Extends example 4 with a dynamic version
Date Thu, 21 May 2020 16:25:07 GMT

vikgmdev commented on a change in pull request #47:
URL: https://github.com/apache/metron-bro-plugin-kafka/pull/47#discussion_r428765442



##########
File path: README.md
##########
@@ -179,6 +179,48 @@ event zeek_init() &priority=-10
 }
 ```
 
+#### Dynamically send each zeek log to a topic with its same name.
+
+ * ej. `CONN::LOG` logs are sent to the `conn` topic or `Known::CERTS_LOG` to the `known-certs`
topic.
+
+```
+@load packages/metron-bro-plugin-kafka/Apache/Kafka
+redef Kafka::logs_to_send = set(DHCP::LOG, RADIUS::LOG, DNS::LOG);
+redef Kafka::topic_name = "";
+redef Kafka::tag_json = T;
+
+event zeek_init() &priority=-10
+{
+    for (stream_id in Log::active_streams) {
+        # Convert stream type enum to string
+        const stream_string: string = fmt("%s", stream_id);
+
+        # replace `::` by `_` from the log string name
+	    # ej. CONN::LOG to CONN_LOG or Known::CERTS_LOG to Known_CERTS_LOG
+        const stream_name: string = sub(stream_string, /::/, "_");
+
+        # lowercase the whole string for nomalization
+        const topic_name_lower: string = to_lower(stream_name);
+
+        # remove the _log at the of each topic name
+        const topic_name_under: string = sub(topic_name_lower, /_log$/, "");
+
+        # replace `_` by `-` for compatibility with acceptable Kafka topic naes

Review comment:
       Yes, I referred to that but you're right it's more a personal preference, should I
remove it from the example?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



Mime
View raw message