Project

General

Profile

Actions

Optimization #5680

open

eve-log: reduce duplication of info

Added by Juliana Fajardini Reichow about 2 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Eg: just keep flow id or community id for HTTP logs, for instance, and this would hold the info for the correlated events.


Related issues 1 (1 open0 closed)

Related to Suricata - Task #5488: Suricon 2022 brainstormAssignedVictor JulienActions
Actions #1

Updated by Juliana Fajardini Reichow about 2 years ago

  • Related to Task #5488: Suricon 2022 brainstorm added
Actions #2

Updated by Victor Julien about 2 years ago

The request was in part to reduce IO pressure, which I understand, but I also feel this is mostly a post-processing function. See the work by the vast.io folks to compress data for example.

I would like to avoid a runtime cost by suricata to do any kind of de-duplication. Perhaps simply having more control over which fields are logged per eve type are enough?

Actions #3

Updated by Victor Julien about 2 years ago

  • Assignee changed from OISF Dev to Community Ticket
Actions

Also available in: Atom PDF