[Oisf-devel] Suppressing unified2 file timestamp

[Victor Julien]

I guess my first question would be "what do you need to suppress it for?"

Xavier Lange wrote:
> What behavior would people like if you're suppressing the unified2
> timestamp field? I'm hacking up some changes to suppress the timestamp
> and I've got two options:
> 
> a) Reset the file when the limit is hit
> b) Ignore the file limit and just keep writing
> 
> I think a is the better choice is a because the user has specified the
> file size limit in their config. Either behavior is fine by me.
> 
> Here's the config I'm envisioning:
>   - unified2-alert:
>       enabled: yes
>       filename: unified2.alert
>       timestamp: false
> 
> And just have it keep writing to a file (in my case I'm writing to a
> fifo for ez IPC).
> 
> The code I'm looking at changing:
> * tm-modules.h
>   * Add (int) suppress_timestamp to LogFileCtx_.

I don't think this chance is necessary. You can get a new option for
just unified2 in Unified2AlertInitCtx.

>   * Or come up with a convention where non-null filename and null prefix
> imply suppression of timestamp.
> * Unified2AlertInitCtx
>   * Inspect ConfNode to detect presence and value of "timestamp", alter
> file_ctx accordingly

In Unified2AlertOpenFileCtx you could check for the option as it was
retrieved by Unified2AlertInitCtx. The option can just be saved to a
local static variable.

Cheers,
Victor

> * Unified2
>   * Check suppress_timestamp or the convention, and then implement
> strategy a) or b).
> 
> Ideas? Feedback?
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------