[Bro-Dev] Notices and alarms (Re: [Bro-Commits] [git/bro] topic/robin/pp-alarms: A new notice script that pretty-prints alarms in the summary email. (73d5643))

[Robin Sommer]

On Wed, Oct 26, 2011 at 17:02 -0400, you wrote:

> You think that people would want to start receiving all of their
> notices in email prior to getting a chance to look through the notices
> to see what they want?

Yes, I do actually. It's the push vs. pull model; seeing what I want
and adjusting the config takes effort. Also, at least for smaller
networks, it's actually not a problem; and I'm hoping we'll be getting
plenty of those in the future as well.

> # Uncomment the following line to begin receiving hourly emails containing all of your notices.
> #redef Notice::policy += { [$action = Notice::ACTION_ALARM, $priority = 0] };

I like that! It's short and even better than the option I suggested
because one can start tweaking right there. And I'm fine leaving it
commented out. I'll add that.

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org