On Fri, 23 Sep 2011, Joe Prosser wrote: > Hi Folks, > Has anyone thought of or built an SEC installation with the contexts > saved on a memcached server? > This strikes me as a possibly good way to address scalability > challenges if you can get past lack of atomicity.
I've thought about this, and had it in my roadmap to implement as load climbed to where I needed it, but recently I've been having second thoughts. If I'm in a position where I really need this, I'm not sure I can afford the performance hit to check it as frequently as I really need to (and definantly not as frequently as every rule that has a context) What I'm thinking of instead is a multi-tier system where I configure syslog to have all events of a given type sent to one instance of SEC and then if there is a match, have that instance of SEC generate a log message that a second tier of SEC will look for. rsyslog or syslog-ng have powerful enough filters to so rathre granular splitting of logs. I would consider something like memcached for cases where I want to pass more information than will fit reasonably in one line of logs to the second-tier process, as the rate of update and access will be far lower. David Lang ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
