Feature #5461: eve: Use threaded output by default - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #5461

open

eve: Use threaded output by default

Added by Jeff Lucovsky over 2 years ago. Updated about 2 years ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Effort:

Difficulty:

Label:

Description

Change the default configuration setting of eve-log.threaded to on (enabled).

This will yield the most performant path when writing to the eve.json file but it also imposes the following change:

eve.json will no longer be written to. Instead, multiple files name eve.N.json will be created (one for each Suricata thread that adds entries to the EVE log)

This requires upstream handling of the EVE log to be aware that the EVE log contents are spread among the collection of eve.N.json files. Workflow processing must be cognizant of this. Individual log entries in each file continue to be timestamped so the entries could be time-stitched into a singular storage entity.

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #5461

eve: Use threaded output by default

Updated by Victor Julien over 2 years ago

Updated by Andreas Herz about 2 years ago