In message
<CAGfjSCO3ZQ5vYugpJqnLq+YdbbL7FLSQ0zuky2oT=uzlvkh...@mail.gmail.com> ,
Risto Vaarandi writes:
>2014-05-22 14:37 GMT+03:00 Natalia Iglesias
> <[email protected]>>:
>> Just a simple question this time (I hope): which debug level is
>> recommended for production rules? What are the possible side effects of a
>> high (6) debug level?
>>
>If you have tested your rules and you don't need debug messages which
>provide detailed info about all sec activities, the level 5 might be a good
>option. With this level, you would get info about the creation of new
>processes, input file rotations, and other such events, but also about all
>error conditions.
>The only side-effect of level 6 is extensive amount of logged info which
>means that the log might need very frequent rotation. However, debug
>messages are mostly triggered by the execution of actions, so if your
>rulesets do not trigger a large number of actions in a short time frame,
>level 6 might be quite OK.
I have had logging slow things down measurably, but I also fall into
the category where I am performing a lot of actions in my rules and
have frequent bursts of logs in a short periodd of time that I need to
process. I usually run at level 4 which warns me about errors in the
rulesets without including a lot of normal operating notifications.
Note that you can change the debug level while sec is running. There
is a signal to cycle through the debug levels, so if you have an
issue, you can keep your SEC running and increase logging from 4 to 5
to 6 back to 1 and so on back to 4 when you are done. See the man
page for signal handling details.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
