[Oisf-devel] Suppressing unified2 file timestamp
Xavier Lange
xrlange at gmail.com
Fri Jul 9 23:08:42 UTC 2010
Great! Now I've used the instructions from doc/GITGUIDE and I created my
branch and merged back in to master. How do I get these changes out to you?
Xavier
On Fri, Jul 9, 2010 at 2:18 PM, Victor Julien <victor at inliniac.net> wrote:
> Xavier Lange wrote:
> > Whoops, forgot to cc this on the list...
> >
> > On Fri, Jul 9, 2010 at 1:18 PM, Xavier Lange <xrlange at gmail.com
> > <mailto:xrlange at gmail.com>> wrote:
> >
> > Reason for suppression: I'm writing to a fifo for easy ipc. I've got
> > my own barnyard-esque app and given my constraints it's easier to
> > use a fifo (it has some properties I prefer). Snort had this feature
> > in its log config so I thought it would handy here as well.
> >
> > Out of curiosity, any reason to avoid adding the field to a
> threadvar?
>
> Basically the different logging modules are each separate modules. I'd
> like each module to be as separated from the others as possible. We have
> a bunch of logging/output modules what don't use the timestamp: fast,
> alert-debuglog, prelude.
>
> Cheers,
> Victor
>
> >
> > Xavier
> >
> >
> > On Fri, Jul 9, 2010 at 12:48 PM, Victor Julien <victor at inliniac.net
> > <mailto:victor at inliniac.net>> wrote:
> >
> > I guess my first question would be "what do you need to suppress
> > it for?"
> >
> > Xavier Lange wrote:
> > > What behavior would people like if you're suppressing the
> unified2
> > > timestamp field? I'm hacking up some changes to suppress the
> > timestamp
> > > and I've got two options:
> > >
> > > a) Reset the file when the limit is hit
> > > b) Ignore the file limit and just keep writing
> > >
> > > I think a is the better choice is a because the user has
> > specified the
> > > file size limit in their config. Either behavior is fine by me.
> > >
> > > Here's the config I'm envisioning:
> > > - unified2-alert:
> > > enabled: yes
> > > filename: unified2.alert
> > > timestamp: false
> > >
> > > And just have it keep writing to a file (in my case I'm
> > writing to a
> > > fifo for ez IPC).
> > >
> > > The code I'm looking at changing:
> > > * tm-modules.h
> > > * Add (int) suppress_timestamp to LogFileCtx_.
> >
> > I don't think this chance is necessary. You can get a new option
> for
> > just unified2 in Unified2AlertInitCtx.
> >
> > > * Or come up with a convention where non-null filename and
> > null prefix
> > > imply suppression of timestamp.
> > > * Unified2AlertInitCtx
> > > * Inspect ConfNode to detect presence and value of
> > "timestamp", alter
> > > file_ctx accordingly
> >
> > In Unified2AlertOpenFileCtx you could check for the option as it
> was
> > retrieved by Unified2AlertInitCtx. The option can just be saved
> to a
> > local static variable.
> >
> > Cheers,
> > Victor
> >
> > > * Unified2
> > > * Check suppress_timestamp or the convention, and then
> implement
> > > strategy a) or b).
> > >
> > > Ideas? Feedback?
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Oisf-devel mailing list
> > > Oisf-devel at openinfosecfoundation.org
> > <mailto:Oisf-devel at openinfosecfoundation.org>
> > >
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> >
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100709/2da8650d/attachment-0002.html>
More information about the Oisf-devel
mailing list