output/flush: Correct EVE flushing logic#15241
Closed
jlucovsky wants to merge 4 commits into
Closed
Conversation
Add flushing logic driven off of the file contexts. This is a simpler solution that removes the need for logger registration changes. Overview: Use the heartbeat-driven thread to periodically flush all registered EVE contexts via a global flush list. The global flush list is a mutex-protected TAILQ of LogFileFlushEntry nodes; each node points to a LogFileCtx. Mutex = log_file_flush_mutex Periodic flushing performed by a thread according to the heartbeat.output-flush-interval [1,60]. LogFileFlushAll() is invoked to initiate flushing of registered LogFileCtx structs; each struct's fp_mutex is obtained while the flush occurs to synchronize with LogFileWrite activity. Interacts with file-rotation via the fp_mutex. Deadlock prevention: the log_file_flush_mutex must be obtained before the fp_mutex. Issue: 8286 (cherry picked from commit a78911f)
Remove packet-based flush logic in favor of simpler solution Issue: 8286 (cherry picked from commit d0ba1c4)
Remove log flush functions and update registration logic as context-based flushing doesn't require it. Issue: 8286 (cherry picked from commit 1923ca1)
Update output flushing description to reflect EVE based approach in documentation and config template. Added: Provide update callout for out-of-tree output plugins. Issue: 8286 (cherry picked from commit e7dc0d8)
jlucovsky
requested review from
a team,
jufajardini and
victorjulien
as code owners
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main-8.0.x #15241 +/- ##
===========================================
Coverage 81.56% 81.57%
===========================================
Files 1012 1012
Lines 275213 275139 -74
===========================================
- Hits 224490 224441 -49
+ Misses 50723 50698 -25
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
|
Information: QA ran without warnings. Pipeline = 31021 |
victorjulien
approved these changes
May 8, 2026
Member
|
Merged in #15343, thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Continuation of #15107
Backport of changes made for issue 8286 for main-8.0.x backport.
Link to ticket: https://redmine.openinfosecfoundation.org/issues/8400
Describe changes:
Updates:
Provide values to any of the below to override the defaults.
link to the pull request in the respective
_BRANCHvariable.SV_REPO=
SV_BRANCH=
SU_REPO=
SU_BRANCH=