[Oisf-devel] Suppressing unified2 file timestamp

[Xavier Lange]

What behavior would people like if you're suppressing the unified2 timestamp
field? I'm hacking up some changes to suppress the timestamp and I've got
two options:

a) Reset the file when the limit is hit
b) Ignore the file limit and just keep writing

I think a is the better choice is a because the user has specified the file
size limit in their config. Either behavior is fine by me.

Here's the config I'm envisioning:
  - unified2-alert:
      enabled: yes
      filename: unified2.alert
      timestamp: false

And just have it keep writing to a file (in my case I'm writing to a fifo
for ez IPC).

The code I'm looking at changing:
* tm-modules.h
  * Add (int) suppress_timestamp to LogFileCtx_.
  * Or come up with a convention where non-null filename and null prefix
imply suppression of timestamp.
* Unified2AlertInitCtx
  * Inspect ConfNode to detect presence and value of "timestamp", alter
file_ctx accordingly
* Unified2
  * Check suppress_timestamp or the convention, and then implement strategy
a) or b).

Ideas? Feedback?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100709/4cb8cf6b/attachment-0002.html>