This is similar to another feature request that I put
in in some respects. One of the major limits to SGUIL
is the number of active events the real-time console
can handle and that the sguild can send to sguil.tk.
This is particularly true during SGUIL client startup,
and also when a large number of backlogged events need
to be expired/categorized. This is exacerbated by the
basic SGUIL architecture that assumes analysts
constantly working with the real-time interface and
actively expiring or categorizing events that they are
not working on.
It would be convenient to have a SGUIL component that
could, based on rules set by the SGUIL
user/administrator, automatically expire active events
after they reach a certain age. This way, if the SGUIL
console collects dust for a few days due to lack of
appropriate attention, it does not become flooded.
Having an ability to auto-expire events based on total
count in addition to or instead of timestamp may be
appropriate, too. This gets more to the meat of the
problem of having too many events online.
Building this into Autocat maybe the best option, but
it's up to you all.
Log in to post a comment.