On Feb 8, 2013, at 3:29 PM, "Siwek, Jonathan Luke" <[email protected]> wrote:
> I also thought that could have broken the notice de-duplication/suppression, > but it seemed to work in my testing. A simple check is to do `broctl print > Notice::ordered_policy`. If it's empty on all the worker nodes, but > populated for the manager node, then it's still working like I expected and > probably something else is wrong. It's populated on all the nodes. I'm not redefing Notice::emailed_types, which is what the original commit says causes this, but I am redefing Notice::mail_dest. > Are you getting 2 of the same exact email as if from both the worker and > manager, or is it just that you get many emails within the suppression > interval for the same "logical" notice $identifier? Same exact e-mail. > And is it for all notice types or just certain ones? If it's certain custom > ones you're creating, can you post examples of how you call NOTICE() to > generate them? Hmm. I believe only custom ones. I don't think I'm doing anything with the default ones, except for ACTION_LOG, which isn't duplicated. I used to use sync_functions to generate them (example here: https://gist.github.com/grigorescu/2925e938f1bcc13a1964), but I've changed to just using the notice event to see if that fixes this, e.g.: > event notice(n: Notice: Info) &priority=-5 > { > if ( ACTION_EMAIL_ISO_IR in n$actions ) > email_notice_to(n, "[email protected]", T); > } > Have you changed any of the "suppression_interval" settings? Some of my notices have a non-default suppress_for interval, but I haven't change the interval globally. Thanks, --Vlad _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
