[Bro-Dev] Duplicate Notice Actions Regression?

[Vlad Grigorescu]

On Feb 8, 2013, at 3:29 PM, "Siwek, Jonathan Luke" <jsiwek at illinois.edu> wrote:

> I also thought that could have broken the notice de-duplication/suppression, but it seemed to work in my testing.  A simple check is to do `broctl print Notice::ordered_policy`.  If it's empty on all the worker nodes, but populated for the manager node, then it's still working like I expected and probably something else is wrong.

It's populated on all the nodes. I'm not redefing Notice::emailed_types, which is what the original commit says causes this, but I am redefing Notice::mail_dest.

> Are you getting 2 of the same exact email as if from both the worker and manager, or is it just that you get many emails within the suppression interval for the same "logical" notice $identifier?

Same exact e-mail.

> And is it for all notice types or just certain ones?  If it's certain custom ones you're creating, can you post examples of how you call NOTICE() to generate them?

Hmm. I believe only custom ones. I don't think I'm doing anything with the default ones, except for ACTION_LOG, which isn't duplicated. I used to use sync_functions to generate them (example here: https://gist.github.com/grigorescu/2925e938f1bcc13a1964), but I've changed to just using the notice event to see if that fixes this, e.g.:

> event notice(n: Notice: Info) &priority=-5
>       {
>             if ( ACTION_EMAIL_ISO_IR in n$actions )
>                   email_notice_to(n, "iso-ir at cmu.edu", T);
>       }

> Have you changed any of the "suppression_interval" settings?

Some of my notices have a non-default suppress_for interval, but I haven't change the interval globally.

Thanks,

  --Vlad