If the bufsize=1 default occurs, upon loading its rules would SEC print a warning or an error message for each rule that is using "pattern types like RegExp3, NRegExp2, and PerlFunc5"? If so, then existing rules could be checked in advance for any bufsize=1 issues by running SEC with --testonly and searching its output for the related warning messages.
Regards, Rock -----Original Message----- From: Risto Vaarandi [mailto:risto.vaara...@seb.ee] Sent: Monday, January 19, 2015 8:24 AM To: simple-evcorr-users@lists.sourceforge.net Subject: [Simple-evcorr-users] user poll: changing default values for some command line options Hi all, I am currently working on the 2.7.7 version, and a recent e-mail exchange with one of the users has inspired me to think about changing default values for --bufsize and --jointbuf/--nojointbuf options. Currently, the default for --bufsize is 10 which means that SEC keeps 10 last lines from input sources in input buffer, in order to facilitate multiline matching. However, many rulesets are written for processing single-line events (e.g., from syslog log files), and rulesets for multiline events are clearly a minority. In current pattern matching routines, all of the code is written in a generic way for both single-line and multi-line case. Nevertheless, when bufsize=1 would be default, some of the code for the single-line case could be factored out and written more efficiently, which would allow for some performance gains for single-line scenario. The downside of changing the default from bufsize=10 to bufsize=1 would be the need to set --bufsize explicitly on command line, in order to make pattern types like RegExp3, NRegExp2, and PerlFunc5 to work. So far, there has been rarely a need for this, since --bufsize=10 has been sufficient for most of the cases. Also, currently SEC assumes --jointbuf option by default which means that in the case of multi-line matching all events are stored into the same input buffer. Nevertheless, in this case --nojointbuf would make more sense, since that creates a separate buffer for each input source, allowing multiline patterns to work on data from one source only. Since with bufsize=1 there is no difference between --jointbuf and --nojointbuf, the --nojointbuf option would be a more reasonable default. To summarize, I would like to hear user opinions on these matters, and whether it would make sense to you to change default values for these command line options. Best regards, risto ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
