Bug #664
closed
unified2: alert file overwritten if rotate happens within second of creation
Added by Victor Julien almost 12 years ago.
Updated almost 12 years ago.
Description
The unified2 alert files use a timestamp with second precision. When the file size limit is reached, it is rotated, meaning a new file with a new timestamp is created. However, if this timestamp (in seconds) is equal to the last files timestamp, this file will be overwritten (truncated).
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Fixed this by switching to append open instead of truncate open. This means that in case we rotate within a second we will actually ignore the limit.
As the limit is reset internally, the file can grow up to twice the limit or more if multiple rotates happen all within that 1 second.
This approach was chosen to prevent loosing events.
commit 83559dd877dfa8f66acab9f418a2aaa9517f32b9
Author: Victor Julien <victor@inliniac.net>
Date: Thu Dec 6 14:48:56 2012 +0100
unified2: append open instead of trucate open so that in case we rotate within a second we don't overwrite files. Instead we violate the limit.
Also available in: Atom
PDF