Added by Juliana Fajardini Reichow about 2 years ago. Updated 5 days ago.
Description
With stream events, some other fields added from app-layer, we may add way too much data to alert events.
Investigate what truly makes sense, and other modules that also do that.
I am not sure I understand what is meant here..?
Philippe Antoine wrote in #note-4:
I am not sure I understand what is meant here..?
It's indeed a vague ticket. Maybe it would be better if left as an umbrella ticket?
The point is that it is possible to make alert events (and possibly others) rather verbose, depending on what's enabled, and that some thought should be given to:
- are there things that could be removed from this output?
- which modules can impact alert's verbosity?
But maybe this should be a broader effort?
Juliana Fajardini Reichow wrote in #note-5:
Philippe Antoine wrote in #note-4:
I am not sure I understand what is meant here..?
It's indeed a vague ticket. Maybe it would be better if left as an umbrella ticket?
The point is that it is possible to make alert events (and possibly others) rather verbose, depending on what's enabled, and that some thought should be given to:
- are there things that could be removed from this output?
- which modules can impact alert's verbosity?But maybe this should be a broader effort?
I think this is hard to reason about without specific examples of where things go too large; otherwise, we're kind of making guesses, and then it likely needs to be attacked in a way that makes sense for the specific protocol.
I'd lean towards closing this until some examples can be presented.
Won't oppose. Maybe we could add this as a specific topic for the next Brainstorming session?
I think I created this ticket after some discussion with Victor, but again, if I can't come up with examples, it's not useful.
Closing, then.