The log_xxx events are being raised on both the worker when the log entry was generated, and then again when it was received on the manager (but this time with non &log fields missing). The tricky part to understanding this is that
bool Manager::Write(EnumVal* id, RecordVal* columns)
is called on both the worker and on the manager, but different code paths are hit.
This simple change appears to fix things, but I'm not sure if it handles all the cases it needs to or if further fixes are needed.
diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index 9db4351..6c41646 100644
@@ -658,7 +658,7 @@ bool Manager::Write(EnumVal* id, RecordVal* columns)
// Raise the log event.
if ( stream->event )
+ if ( stream->event && stream->enable_remote)
val_list* vl = new val_list(1);
This causes the log_xx event to only be raised on nodes that are doing remote logging - which works out to the node that originally generated the log message. I could see this not being specific enough if a node was being used to relay log messages. Something more like
if ( stream->event && i_am_the_original_source_of_this_log_entry)
might make more sense.. perhaps an additional boolean argument to Manager::Write is required.
The change from the older communication code is that
RemoteSerializer:rocessLogWrite used to do
success = log_mgr->Write(id_val, writer_val, path, num_fields, val);
Where bro_broker::Manager:rocess uses
Fixed by (which more broadly changes things back to old semantics).