[Bro-Dev] Notices and alarms (Re: [Bro-Commits] [git/bro] topic/robin/pp-alarms: A new notice script that pretty-prints alarms in the summary email. (73d5643))

[Robin Sommer]

On Wed, Oct 26, 2011 at 14:09 -0400, you wrote:

> As I'm reading through it I'm having a few thoughts.  Maybe we should
> just make an extensions/ directory in the notice framework instead of
> the current extend-email/ and actions/ directories?

Yeah, sounds good, I was wonderng where to put this.

> And I'm going to back up on what I said before.  I can see this script
> taking a shell script or something to process the log file through as
> an alternate way of converting the log into the email body.

That's how I wanted to start but then one needs to parse the log in
shell. Thinking about it more, I agreed with what you said earlier and
did it in pure Bro, which is easier (or will be once I actually add
the code for the formatting). 

>  That might even make more sense as the primary approach.  I guess it
>  would be like a prerotation filter or something?

Maybe, but not sure. That may be better to postpone until we have an
better idea how it might look like.


Ok, I'll finish this up then. Would like to get that into the beta as
it would be step backwards from 1.5 otherwise. Are you ok turning it
on by default?


One more thing that bothers me a bit: by default, there are no
alarms... Everything just goes into notice.log.  To get any mails, one
needs to configure things appropiately, which is hard at the beginning
because one won't have a good idea what can be generated.

I'm sure you have thought about this: what's the reason for not using
ACTION_ALARM as the default action, now that there aren't actually
that many notices generated anymore?

Robin


-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org