[Oisf-devel] Suppressing unified2 file timestamp
Xavier Lange
xrlange at gmail.com
Tue Jul 13 17:48:22 UTC 2010
Alright, take a look. Defaults to using timestamps unless explicitly told
'timestamps: false', even if timestamps is not present. Won't step on
anyone's toes!
Xavier
On Mon, Jul 12, 2010 at 7:34 AM, Victor Julien <victor at inliniac.net> wrote:
> Basically you do the changes in a local branch, commit them and run the
> command "git format-patch -N" where N is the number of commits you have
> done. So if you did all changes in one commit "git format-patch -1".
> This gets you a patch file that you can send to me :)
>
> Xavier Lange wrote:
> > Great! Now I've used the instructions from doc/GITGUIDE and I created my
> > branch and merged back in to master. How do I get these changes out to
> you?
> >
> > Xavier
> >
> > On Fri, Jul 9, 2010 at 2:18 PM, Victor Julien <victor at inliniac.net
> > <mailto:victor at inliniac.net>> wrote:
> >
> > Xavier Lange wrote:
> > > Whoops, forgot to cc this on the list...
> > >
> > > On Fri, Jul 9, 2010 at 1:18 PM, Xavier Lange <xrlange at gmail.com
> > <mailto:xrlange at gmail.com>
> > > <mailto:xrlange at gmail.com <mailto:xrlange at gmail.com>>> wrote:
> > >
> > > Reason for suppression: I'm writing to a fifo for easy ipc.
> > I've got
> > > my own barnyard-esque app and given my constraints it's easier
> to
> > > use a fifo (it has some properties I prefer). Snort had this
> > feature
> > > in its log config so I thought it would handy here as well.
> > >
> > > Out of curiosity, any reason to avoid adding the field to a
> > threadvar?
> >
> > Basically the different logging modules are each separate modules.
> I'd
> > like each module to be as separated from the others as possible. We
> have
> > a bunch of logging/output modules what don't use the timestamp: fast,
> > alert-debuglog, prelude.
> >
> > Cheers,
> > Victor
> >
> > >
> > > Xavier
> > >
> > >
> > > On Fri, Jul 9, 2010 at 12:48 PM, Victor Julien
> > <victor at inliniac.net <mailto:victor at inliniac.net>
> > > <mailto:victor at inliniac.net <mailto:victor at inliniac.net>>>
> wrote:
> > >
> > > I guess my first question would be "what do you need to
> > suppress
> > > it for?"
> > >
> > > Xavier Lange wrote:
> > > > What behavior would people like if you're suppressing
> > the unified2
> > > > timestamp field? I'm hacking up some changes to suppress
> the
> > > timestamp
> > > > and I've got two options:
> > > >
> > > > a) Reset the file when the limit is hit
> > > > b) Ignore the file limit and just keep writing
> > > >
> > > > I think a is the better choice is a because the user has
> > > specified the
> > > > file size limit in their config. Either behavior is fine
> > by me.
> > > >
> > > > Here's the config I'm envisioning:
> > > > - unified2-alert:
> > > > enabled: yes
> > > > filename: unified2.alert
> > > > timestamp: false
> > > >
> > > > And just have it keep writing to a file (in my case I'm
> > > writing to a
> > > > fifo for ez IPC).
> > > >
> > > > The code I'm looking at changing:
> > > > * tm-modules.h
> > > > * Add (int) suppress_timestamp to LogFileCtx_.
> > >
> > > I don't think this chance is necessary. You can get a new
> > option for
> > > just unified2 in Unified2AlertInitCtx.
> > >
> > > > * Or come up with a convention where non-null filename
> and
> > > null prefix
> > > > imply suppression of timestamp.
> > > > * Unified2AlertInitCtx
> > > > * Inspect ConfNode to detect presence and value of
> > > "timestamp", alter
> > > > file_ctx accordingly
> > >
> > > In Unified2AlertOpenFileCtx you could check for the option
> > as it was
> > > retrieved by Unified2AlertInitCtx. The option can just be
> > saved to a
> > > local static variable.
> > >
> > > Cheers,
> > > Victor
> > >
> > > > * Unified2
> > > > * Check suppress_timestamp or the convention, and then
> > implement
> > > > strategy a) or b).
> > > >
> > > > Ideas? Feedback?
> > > >
> > > >
> > > >
> > >
> >
> ------------------------------------------------------------------------
> > > >
> > > > _______________________________________________
> > > > Oisf-devel mailing list
> > > > Oisf-devel at openinfosecfoundation.org
> > <mailto:Oisf-devel at openinfosecfoundation.org>
> > > <mailto:Oisf-devel at openinfosecfoundation.org
> > <mailto:Oisf-devel at openinfosecfoundation.org>>
> > > >
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> > >
> > >
> > > --
> > > ---------------------------------------------
> > > Victor Julien
> > > http://www.inliniac.net/
> > > PGP: http://www.inliniac.net/victorjulien.asc
> > > ---------------------------------------------
> > >
> > >
> > >
> >
> >
> > --
> > ---------------------------------------------
> > Victor Julien
> > http://www.inliniac.net/
> > PGP: http://www.inliniac.net/victorjulien.asc
> > ---------------------------------------------
> >
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100713/5be4b571/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Altered-unified2-output-module-to-allow-suppression-.patch
Type: text/x-patch
Size: 2401 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100713/5be4b571/attachment.bin>
More information about the Oisf-devel
mailing list