#985: 'tail -f' functionality for file reading in input framework
------------------------+----------------------------- Reporter:
scampbell | Type: Feature Request Status: new |
Priority: Low Milestone: Bro2.2 | Component: Bro Version:
git/master | Keywords:
------------------------+----------------------------- With the
current input framework, file data -> event translation requires
that the entire data file be read at bro start time. This can be
prohibitive when the file sizes become large ( > 1GB ).It would be great to see a file open option that would start
reading at the end of the file.
I tried to update the ticket, but there seems to be issues with the
bug tracker.
The patch to support this functionality is attached - it is only a few
lines. An example of using this looks like:
Input::add_event([$source=data_file, $reader=Input::READER_RAW,
$mode=Input::TSTREAM, $name="issh", $fields=lineVals,
$ev=sshLine]);
thanks!
scott
PATCH (2.58 KB)
PATCH.sig (65 Bytes)