Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add CaptureLoss::initial_watch_interval for a quick read on cluster health after startup.

Browse source
This commit is contained in:
Vlad Grigorescu 2020-10-08 09:41:29 -05:00
parent bb3527c955
commit cb9d419fa4
1 changed files with 7 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
scripts/policy/misc/capture-loss.zeek
View file

@ -39,9 +39,14 @@ export {
percent_lost: double &log; percent_lost: double &log;
}; };
## The interval at which capture loss reports are created. ## The interval at which capture loss reports are created in a
## running cluster (that is, after the first report).
option watch_interval = 15mins; option watch_interval = 15mins;
## For faster feedback on cluster health, the first capture loss
## report is generated this many minutes after startup.
option initial_watch_interval = 1mins;
## The percentage of missed data that is considered "too much" ## The percentage of missed data that is considered "too much"
## when the :zeek:enum:`CaptureLoss::Too_Much_Loss` notice should be ## when the :zeek:enum:`CaptureLoss::Too_Much_Loss` notice should be
## generated. The value is expressed as a double between 0 and 1 with 1 ## generated. The value is expressed as a double between 0 and 1 with 1
@ -82,5 +87,5 @@ event zeek_init() &priority=5
# We only schedule the event if we are capturing packets. # We only schedule the event if we are capturing packets.
if ( reading_live_traffic() || reading_traces() ) if ( reading_live_traffic() || reading_traces() )
schedule watch_interval { CaptureLoss::take_measurement(network_time(), 0, 0) }; schedule initial_watch_interval { CaptureLoss::take_measurement(network_time(), 0, 0) };
} }