Re: EOE events in auparse output
On Monday, December 5, 2016 5:34:12 PM EST Nikolai Kondrashov wrote:
However, since libauparse is supposed to provide the service of
communicating event boundaries to its users, does it make sense for it to
return the EOE record? Especially as a separate, empty event, which doesn't
add any information?
I suppose it could be stripped from the event as its real purpose is locating
the event boundary. Since I don't know if the event will be relayed on to
another analytic processor I've just kept it there. For example, you could
have a realtime plugin that passes its information to another process for
correlation and escalation. In that case keeping the record makes sense. But
for xml/json it can be dropped because it has its own way of defining an event
boundary.
-Steve