Robert - elists wrote: > Greetings > > Is using sa-compile the standard now? > > ... or are most organizations still just using the stock formatted > rulesets? > > If not the standard, is it the SA recommended standard? > > I know there can be problems or issues, yet if we do use sa-compile as > instructed by the documentation, should we be on the lookout for any > specific issues in logs or operations? > > Thanks and kind regards!
I would say that sa-compile is the preferred method due to its performance benefits. There aren't many (any?) drawbacks to using it. That said, I still cannot get it to work on my system. Everything works fine with the standard rulesets, but as soon as I enable the compiled rules, I start getting lots of errors in the logs about duplicated rules. Nobody had any suggestions for me when I posted this problem, so apparently it's not affecting a lot of people, but keep an eye on your logs after enabling it. Other than that, just keep in mind that you will need to add the sa-compile command to your update scripts. sa-update will not compile the updated rules for you. -- Bowie