Bro Logs Processing

File location:

  • Bundled implementation: source/client/python/remote.py

  • Cluster implementation: cluster/core/source/python/remote.py

Hook Mainloop

remote.remote_proc()

A context for running processes at the background.

In bundled implementation, this function also starts both remote_dump() and remote_logs() as new processes.

In cluster implementation, this function starts remote() as a new process.

Note

Before exit, in bundled implementation, it will send SIGUSR1 signal to the remote_dump() background process and SIGUSR2 signal to the remote_logs() background process; then wait for the process to gracefully exit.

In cluster implementation, it will send SIGUSR1 signal to the remote_logs() background process and wait for the process to gracefully exit.

remote.remote_logs()
Availability:

bundled implementation

Runtime mainloop for Python hooks.

The function will start as an indefinite loop to fetch path to Bro logs from const.QUEUE_LOGS, and execute registered Python hooks on them.

When JOIN_LOGS is set to True, the function will break from the loop and execute registered Python hooks for closing (sites.EXIT).

Raises:

HookWarning – If hook execution failed.

remote.remote()
Availability:

cluster implementation

The function will start as an indefinite loop to fetch path to Bro logs from const.QUEUE, and execute registered Python hooks on them.

When JOIN is set to True, the function will break from the loop and execute registered Python hooks for closing (sites.EXIT).

Raises:

HookWarning – If hook execution failed.

hook(log_name: str)

Wrapper function for running registered Python hooks.

Parameters:

log_name (str) – Root folder of Bro logs.

wrapper_logs(args: Tuple[Callable[[str], Any], str])

Wrapper function for running registered Python hooks for processing (sites.HOOK).

wrapper_func(func: Callable[[], Any])

Wrapper function for running registered Python hooks for closing (sites.EXIT).

Warnings

exception remote.HookWarning
Bases:

Warning

Warns when Python hooks execution failed.

Signal Handling

Bundled Implementation

remote.join_logs(*args, **kwargs)
Availability:

bundled implementation

Toggle JOIN_LOGS to True.

Note

This function is registered as handler for SIGUSR2`.

remote.JOIN_LOGS = multiprocessing.Value('B', False)
Availability:

bundled implementation

Flag to stop the remote_logs() background process.

Cluster Implementation

remote.join(*args, **kwargs)
Availability:

cluster implementation

Toggle JOIN to True.

Note

This function is registered as handler for SIGUSR1`.

remote.JOIN = multiprocessing.Value('B', False)
Availability:

cluster implementation

Flag to stop the remote() background process.