From: Jeff Lucovsky Date: Mon, 2 Oct 2023 15:00:46 +0000 (-0400) Subject: conf/output: Buffering related config settings X-Git-Tag: suricata-8.0.0-beta1~369 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=92b2aebe756a8900ff7c9f5244540e5ccf70e5c2;p=thirdparty%2Fsuricata.git conf/output: Buffering related config settings This commit adds 2 EVE output buffering settings - buffer-size value which specifies the amount of buffering, if any, for regular/file output types. - flush-interval Specifies the cadence at which Suricata will direct detect threads to flush EVE output. Issue: 3449 --- diff --git a/suricata.yaml.in b/suricata.yaml.in index 336c42c081..b2c69f9ec6 100644 --- a/suricata.yaml.in +++ b/suricata.yaml.in @@ -101,6 +101,10 @@ outputs: # Enable for multi-threaded eve.json output; output files are amended with # an identifier, e.g., eve.9.json #threaded: false + # Specify the amount of buffering, in bytes, for + # this output type. The default value 0 means "no + # buffering". + buffer-size: 0 #prefix: "@cee: " # prefix to prepend to each log entry # the following are valid when type: syslog above #identity: "suricata" @@ -571,6 +575,16 @@ outputs: # Logging configuration. This is not about logging IDS alerts/events, but # output about what Suricata is doing, like startup messages, errors, etc. logging: + # The flush-interval governs how often Suricata will instruct the detection + # threads to flush their EVE output. Specify the value in seconds [1-60] + # and Suricata will initiate EVE log output flushes at that interval. A value + # of 0 means no EVE log output flushes are initiated. When the EVE output + # buffer-size value is non-zero, some EVE output that was written may remain + # buffered. The flush-interval governs how much buffered data exists. + # + # The default value is: 0 (never instruct detection threads to flush output) + #flush-interval: 0 + # The default log level: can be overridden in an output section. # Note that debug level logging will only be emitted if Suricata was # compiled with the --enable-debug configure option.