> > For better testing, it would be cool if SEC's idea of the current time could > be derived from the timestamps in the log file instead of wall-clock time, so > that context actions happen at the right time relative to log messages > (rather than 30 seconds after the program ends! :-), but that's probably a > bit too much to ask for. >
Implementing this idea is actually quite complex, since the internal state of SEC is not only affected by new events in input log files. There are many state changes which are associated with the system clock, for example, actions which are executed by Calendar rules, PairWithWindow rules, expiring contexts, etc. While some actions might not necessarily change the state of SEC (e.g., sending an email to someone does not influence event processing), there are actions which have an impact on state. For example, if an expiring context creates a synthetic event, this event might match other rules and trigger a non-trivial event processing scheme. Also, if a Calendar rule executes the 'addinput' action, a new input file is opened which might add a large number of new input events into play, while creating a context from expiring PairWithWindow operation might disable several frequently matching rules in the rule base. Therefore, implementing a simple artificial clock which is incremented according to the timestamp of each new input event does not allow to test a large part of the event correlation functionality. In order to do that, one must also identify relevant time moments in between event timestamps from input files, and carefully replay each such time moment. In short, a proper implementation of an artificial clock is a complex issue, and requires too much effort for too limited value. kind regards, risto _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
