Is there any way to log multiple log streams to a single sqlite database as different tables, or does each logging stream / table have to be in a separate file?
If the answer is the latter, how much work would be involved in adding support for multiple writers?
Hello Tony,
Is there any way to log multiple log streams to a single sqlite database
as different tables, or does each logging stream / table have to be in a
separate file?
That should in principle work - I think you should be able to specify the
same path for two logging filters while using different tablenames in the
$config (see
https://www.bro.org/sphinx-git/frameworks/logging-input-sqlite.html for an
example).
That being said, it might lead to a couple of problems. Each of the output
streams will run in a separate thread and open the database individually.
That means only one of the threads can write to the database
simultaneously (see SQLite Frequently Asked Questions). This will
probably have significant performance implications. I am also not quite
sure how well the logging framework deals with the fact that a db is
currently blocked and it is not able to write.
I hope that helps,
Johanna
Please do -- we should probably at least try to acquire a lock for a bit
before failing.
Johanna