[Oisf-devel] Suppressing unified2 file timestamp
Victor Julien
victor at inliniac.net
Fri Jul 9 21:18:04 UTC 2010
Xavier Lange wrote:
> Whoops, forgot to cc this on the list...
>
> On Fri, Jul 9, 2010 at 1:18 PM, Xavier Lange <xrlange at gmail.com
> <mailto:xrlange at gmail.com>> wrote:
>
> Reason for suppression: I'm writing to a fifo for easy ipc. I've got
> my own barnyard-esque app and given my constraints it's easier to
> use a fifo (it has some properties I prefer). Snort had this feature
> in its log config so I thought it would handy here as well.
>
> Out of curiosity, any reason to avoid adding the field to a threadvar?
Basically the different logging modules are each separate modules. I'd
like each module to be as separated from the others as possible. We have
a bunch of logging/output modules what don't use the timestamp: fast,
alert-debuglog, prelude.
Cheers,
Victor
>
> Xavier
>
>
> On Fri, Jul 9, 2010 at 12:48 PM, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> wrote:
>
> I guess my first question would be "what do you need to suppress
> it for?"
>
> Xavier Lange wrote:
> > What behavior would people like if you're suppressing the unified2
> > timestamp field? I'm hacking up some changes to suppress the
> timestamp
> > and I've got two options:
> >
> > a) Reset the file when the limit is hit
> > b) Ignore the file limit and just keep writing
> >
> > I think a is the better choice is a because the user has
> specified the
> > file size limit in their config. Either behavior is fine by me.
> >
> > Here's the config I'm envisioning:
> > - unified2-alert:
> > enabled: yes
> > filename: unified2.alert
> > timestamp: false
> >
> > And just have it keep writing to a file (in my case I'm
> writing to a
> > fifo for ez IPC).
> >
> > The code I'm looking at changing:
> > * tm-modules.h
> > * Add (int) suppress_timestamp to LogFileCtx_.
>
> I don't think this chance is necessary. You can get a new option for
> just unified2 in Unified2AlertInitCtx.
>
> > * Or come up with a convention where non-null filename and
> null prefix
> > imply suppression of timestamp.
> > * Unified2AlertInitCtx
> > * Inspect ConfNode to detect presence and value of
> "timestamp", alter
> > file_ctx accordingly
>
> In Unified2AlertOpenFileCtx you could check for the option as it was
> retrieved by Unified2AlertInitCtx. The option can just be saved to a
> local static variable.
>
> Cheers,
> Victor
>
> > * Unified2
> > * Check suppress_timestamp or the convention, and then implement
> > strategy a) or b).
> >
> > Ideas? Feedback?
> >
> >
> >
> ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Oisf-devel mailing list
> > Oisf-devel at openinfosecfoundation.org
> <mailto:Oisf-devel at openinfosecfoundation.org>
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list