#180 "Cached Events" is way less than "Total Events"

closed-fixed
None
5
2007-12-28
2007-07-27
No

For the past couple of days I have been struggling with a very bizzare issue.
For whatever reason the amount of events in cache is significantly lower than the number of total
events...

I have BASE running on different systems.
I tried different versions of BASE too. But the result is the same.
Initially, the problem showed up as 0 cached alerts, since there were only about 60 total alerts. I
thought that BASE cannot determine the sensor id, but later on some alerts appeared in cache.
I try to use "Update Alert Cache" and "Rebuild Alert Cache" buttons, but nothing happens.

Please let me know if I can provide any debugging information for you or something.

Suggestions, ideas are very welcome.

With best regards.

Discussion

  • Jordan Wiens

    Jordan Wiens - 2007-07-30

    Logged In: YES
    user_id=600581
    Originator: NO

    fyi -- our solution was to patch barnyard to directly write to the acid_event and sensor table and disable cache updating. We were having load issues with the number of events being updated in the cache, so having barnyard directly write the appropriate data really helps performance. We're working on cleaning up the patches so others can try it out. It was really straightforward, and we haven't (yet) had any problems, but we've only been live for less than a week.

     
  • Kevin Johnson

    Kevin Johnson - 2007-07-31

    Logged In: YES
    user_id=836228
    Originator: NO

    Could you please include some information on versions, platform, etc?

    Thanks
    Kevin

     
  • Yaroslav Klyukin

    Logged In: YES
    user_id=1854978
    Originator: YES

    Can you please give some details on how to "barnyard to directly write to the
    acid_event and sensor table and disable cache updating" please?
    This is most likely what I really need.

    I am running BASE on OpenSuSE 10.1 Linux.

     
  • Kevin Johnson

    Kevin Johnson - 2007-11-19

    Logged In: YES
    user_id=836228
    Originator: NO

    Coulod you please increase the logging level and then send me the log?

    Thanks
    Kevin

     
  • Kevin Johnson

    Kevin Johnson - 2007-12-28

    Logged In: YES
    user_id=836228
    Originator: NO

    The patch to barnyard will be in the 1.4.0 release. It will be in the contrib directory.

    Kevin

     
  • Kevin Johnson

    Kevin Johnson - 2007-12-28
    • assigned_to: nobody --> secureideas
    • status: open --> closed-fixed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks