unified2: alert file overwritten if rotate happens within second of creation
The unified2 alert files use a timestamp with second precision. When the file size limit is reached, it is rotated, meaning a new file with a new timestamp is created. However, if this timestamp (in seconds) is equal to the last files timestamp, this file will be overwritten (truncated).
Updated by Victor Julien almost 11 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Fixed this by switching to append open instead of truncate open. This means that in case we rotate within a second we will actually ignore the limit.
As the limit is reset internally, the file can grow up to twice the limit or more if multiple rotates happen all within that 1 second.
This approach was chosen to prevent loosing events.
commit 83559dd877dfa8f66acab9f418a2aaa9517f32b9 Author: Victor Julien <email@example.com> Date: Thu Dec 6 14:48:56 2012 +0100 unified2: append open instead of trucate open so that in case we rotate within a second we don't overwrite files. Instead we violate the limit.