2015-01-19 17:17 GMT+02:00 MILLS, ROCKY <rx4...@att.com>:
> If the bufsize=1 default occurs, upon loading its rules would SEC print a
> warning or an error message for each rule that is using "pattern types like
> RegExp3, NRegExp2, and PerlFunc5"? If so, then existing rules could be
> checked in advance for any bufsize=1 issues by running SEC with --testonly
> and searching its output for the related warning messages.
>
This warning message is already implemented. For example, if you use
RegExp11 pattern in a rule, SEC would log an error "Invalid linecount 11 in
'regexp11'". The message wording could be somewhat more precise, though,
and I'll change it in the 2.7.7 version.
kind regards,
risto
> Regards,
> Rock
>
> -----Original Message-----
> From: Risto Vaarandi [mailto:risto.vaara...@seb.ee]
> Sent: Monday, January 19, 2015 8:24 AM
> To: simple-evcorr-users@lists.sourceforge.net
> Subject: [Simple-evcorr-users] user poll: changing default values for some
> command line options
>
> Hi all,
>
> I am currently working on the 2.7.7 version, and a recent e-mail exchange
> with one of the users has inspired me to think about changing default
> values for --bufsize and --jointbuf/--nojointbuf options.
>
> Currently, the default for --bufsize is 10 which means that SEC keeps 10
> last lines from input sources in input buffer, in order to facilitate
> multiline matching. However, many rulesets are written for processing
> single-line events (e.g., from syslog log files), and rulesets for
> multiline events are clearly a minority. In current pattern matching
> routines, all of the code is written in a generic way for both single-line
> and multi-line case. Nevertheless, when bufsize=1 would be default, some of
> the code for the single-line case could be factored out and written more
> efficiently, which would allow for some performance gains for single-line
> scenario. The downside of changing the default from bufsize=10 to bufsize=1
> would be the need to set --bufsize explicitly on command line, in order to
> make pattern types like RegExp3, NRegExp2, and PerlFunc5 to work. So far,
> there has been rarely a need for this, since --bufsize=10 has been
> sufficient for most of the cases.
>
> Also, currently SEC assumes --jointbuf option by default which means that
> in the case of multi-line matching all events are stored into the same
> input buffer. Nevertheless, in this case --nojointbuf would make more
> sense, since that creates a separate buffer for each input source, allowing
> multiline patterns to work on data from one source only. Since with
> bufsize=1 there is no difference between --jointbuf and --nojointbuf, the
> --nojointbuf option would be a more reasonable default.
>
> To summarize, I would like to hear user opinions on these matters, and
> whether it would make sense to you to change default values for these
> command line options.
>
> Best regards,
> risto
>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
