From cb9d419fa4846a09bafac8fa5564940abbf7483e Mon Sep 17 00:00:00 2001 From: Vlad Grigorescu Date: Thu, 8 Oct 2020 09:41:29 -0500 Subject: [PATCH] Add CaptureLoss::initial_watch_interval for a quick read on cluster health after startup. --- scripts/policy/misc/capture-loss.zeek | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/scripts/policy/misc/capture-loss.zeek b/scripts/policy/misc/capture-loss.zeek index 5e0e49bc9d..a6fff664e0 100644 --- a/scripts/policy/misc/capture-loss.zeek +++ b/scripts/policy/misc/capture-loss.zeek @@ -39,9 +39,14 @@ export { percent_lost: double &log; }; - ## The interval at which capture loss reports are created. + ## The interval at which capture loss reports are created in a + ## running cluster (that is, after the first report). option watch_interval = 15mins; + ## For faster feedback on cluster health, the first capture loss + ## report is generated this many minutes after startup. + option initial_watch_interval = 1mins; + ## The percentage of missed data that is considered "too much" ## when the :zeek:enum:`CaptureLoss::Too_Much_Loss` notice should be ## generated. The value is expressed as a double between 0 and 1 with 1 @@ -82,5 +87,5 @@ event zeek_init() &priority=5 # We only schedule the event if we are capturing packets. if ( reading_live_traffic() || reading_traces() ) - schedule watch_interval { CaptureLoss::take_measurement(network_time(), 0, 0) }; + schedule initial_watch_interval { CaptureLoss::take_measurement(network_time(), 0, 0) }; }