Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable CHECK_INTERVAL when using journalctl #49

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

smith153
Copy link

If we are getting all our data from journalctl, I don't see a point in using the old polling method. This is an attempt to allow psad to wait for IO activity instead of waiting for a timeout.

I am using this for my personal servers with no ill effects. I am not asking you to accept this pull request but I do ask that you consider the idea.

Since can_read() blocks by default, I removed the timeout to allow psad to wait until it receives activity from the child process watching journalctrl (well actually I gave it a timeout of 120 since I guess we would not want it to accidentally block forever if the background process got killed). Once activity is detected we enter a second state defined by the while loop that calls can_read() with a short timeout. This is due to the fact that since we are reading from a pipe, we will never get an EOF and thus a normal read would block forever. Once the second read times out, the process then flows though the normal process (minus the last sleep $config{'CHECK_INTERVAL'}).

I did add a hard limit of @fw_packets < 10 since on a busy host this read would never time out, though perhaps we could set it to $config{'FW_MSG_READ_MIN_PKTS'}

@mrash
Copy link
Owner

mrash commented Jul 26, 2017

Thanks, this looks like a great addition. I will do some testing over the next couple of days.

@mrash mrash self-assigned this Aug 1, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants