Re: [Simple-evcorr-users] maintain state across restart

Wed, 09 Apr 2008 09:57:38 -0700 

In message <[EMAIL PROTECTED]>,
ScottO writes:
>Just curious, are there any plans to maintain state across a restart or
>reload of SEC?

I don't know of any.

>Currently I have my rules spread out across a bunch of files, related by
>type - which helps minimize losing state when new rules need to be loaded.

Plus it improves performance if they are set up right.

>Just wondering if there may eventually be a way to write/read state to a
>file?

I did some work with that a while back. I had a routine that I called
on shutdown (sigterm handler) that dumped the context array into a
file. Then during a restart, that file was used to reload the context
array. It kind of worked, but there were issues with handling contexts
that had expired during the time SEC was down. Or contexts not getting
cleaned up because they would be deleted by the action of another
context or by a rule. (Note that all the correlations that exist over
a span of time can be implemented with single rules and contexts. So
Pair, PairWithWindow, SingleWithSuppress ... can be expressed as single
rules with timed contexts. The counting rules Threshold... I believe
can be implemented as well with timed contexts and some perl subs to
perform the counting.)

I suspect that handling correlations in progress would also be just a
problematic. E.G. what so you do with a partly done PairWithWindow?
If the window expired while sec was down do you trigger it's action as
though pattern2 hadn't been seen?

Part of the state has to include the current positions in the log
files so it can restart any in progress correlations. But there is no
way to preserve the timing in the log file and it would be very
difficult to add. See the discussions on making SEC run faster than
real time for analyzing stored log file on disk. I think "batch" was a
term used in the subject.

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to