disable_stream vs remove_filter

I am trying to figure out if there are any pro’s or con’s using disable_stream vs remove_filter.

From the reading they appear as if they are interchangeable… but I want to make sure that one of them doesn’t have negative interplay.

Background of the event is:

I have Log::remove_filter(Files::LOG,“default”); and created my own log where I only store certain mime_types.
I decided also that I wanted to remove other log files (weird, dpd, modbus, communication, known_*, PacketFilter) that aren’t being used when research is performed.
I have commented out some in the local.bro but need to either disable_stream or remove_filter the rest.
Also, I currently have 2.2 and 2.3 running. I am using 2.4 for testing and then figuring backwards compatibility.

I am looking for:

  1. Will one give me a performance gain over the other?
  2. Will one cause problems for other calls being made (If I disable_stream and something calls that stream will it break)?
  3. If I disable a stream and later decide to add a new filter, will that work?

I am still testing some of this, but any help would greatly appreciated!

Thanks,

Adam “RedLight” Hall

1) Will one give me a performance gain over the other?

Probably nothing noticeable.

2) Will one cause problems for other calls being made (If I disable_stream and something calls that stream will it break)?

Nope, no problems.

3) If I disable a stream and later decide to add a new filter, will that work?

I’m having trouble remembering, but logging settings may not all be changeable at runtime. I’m actually curious which settings are possible at runtime. I assume you were talking about changes during runtime?

  .Seth