[Oisf-devel] Suppressing unified2 file timestamp

Victor Julien victor at inliniac.net
Fri Jul 9 19:48:42 UTC 2010

I guess my first question would be "what do you need to suppress it for?"

Xavier Lange wrote:
> What behavior would people like if you're suppressing the unified2
> timestamp field? I'm hacking up some changes to suppress the timestamp
> and I've got two options:
> a) Reset the file when the limit is hit
> b) Ignore the file limit and just keep writing
> I think a is the better choice is a because the user has specified the
> file size limit in their config. Either behavior is fine by me.
> Here's the config I'm envisioning:
>   - unified2-alert:
>       enabled: yes
>       filename: unified2.alert
>       timestamp: false
> And just have it keep writing to a file (in my case I'm writing to a
> fifo for ez IPC).
> The code I'm looking at changing:
> * tm-modules.h
>   * Add (int) suppress_timestamp to LogFileCtx_.

I don't think this chance is necessary. You can get a new option for
just unified2 in Unified2AlertInitCtx.

>   * Or come up with a convention where non-null filename and null prefix
> imply suppression of timestamp.
> * Unified2AlertInitCtx
>   * Inspect ConfNode to detect presence and value of "timestamp", alter
> file_ctx accordingly

In Unified2AlertOpenFileCtx you could check for the option as it was
retrieved by Unified2AlertInitCtx. The option can just be saved to a
local static variable.


> * Unified2
>   * Check suppress_timestamp or the convention, and then implement
> strategy a) or b).
> Ideas? Feedback?
> ------------------------------------------------------------------------
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list