[Zeek-Dev] Log archival (Re: Zeek Supervisor: designing client and log archival) behavior
Robin Sommer
robin at corelight.com
Thu Jul 2 00:44:08 PDT 2020
On Wed, Jul 01, 2020 at 14:03 -0700, Jon Siwek wrote:
> What if an open() rarely or never happens again for a given log?
Ah, right, forgot about that case. So yeah, agree, the shadow files
are useful for this and to retain whatever information we need.
> * Changed: running through a function of same-name, but it happened to
> get changed between restart is probably still going to be closer to
> what user expects than running it through the default post-processor
> which is completely different ?
I was thinking not the default post-processor, but whatever is
configured for the log file we are just opening (if we did it at
open() time). But yeah, won't work when the cleanup happens already
before the new open.
Robin
--
Robin Sommer * Corelight, Inc. * robin at corelight.com * www.corelight.com
More information about the Zeek-Dev
mailing list