So I used the purgewhenfull filter (as suggested in the faq/readme :) to delete events when the disk gets over 90% full.
I'm confused about the difference between a filter that is saved and when it is executed.
Does the filter stay and get executed indefinately, or is it a one time shot?
If it's a one time thing, do most people just run a cron job to trigger the filter?
Does the filter apply only to one monitor or can it apply to all of them?
And the readme warns about limiting what is returned from the filter, otherwise all events would be deleted. Am I reading that right? How do I avoid this problem?
Thanks!
E
question on how filters work.
-
- Posts: 5111
- Joined: Wed Jun 08, 2005 8:07 pm
- Location: Midlands UK
It runs every time at the freq you have your filter reload set toDoes the filter stay and get executed indefinately, or is it a one time shot?
execute it manually will just return the results, when you save it you can select, delete email upload etc. Basically every time the filter is executed all the results returned will have the selected option performed on them, ie deleteI'm confused about the difference between a filter that is saved and when it is executed.
No we leave zmfilter and zmaudit to do it for us, but you cant run one time filters this wayIf it's a one time thing, do most people just run a cron job to trigger the filter?
Depends on how you set the filtersDoes the filter apply only to one monitor or can it apply to all of them?
And to check your not wiping it all away, thats why you check the results. Whatever is returned would have been deleted/uploaded/emailed etc
James Wilson
Disclaimer: The above is pure theory and may work on a good day with the wind behind it. etc etc.
http://www.securitywarehouse.co.uk
Disclaimer: The above is pure theory and may work on a good day with the wind behind it. etc etc.
http://www.securitywarehouse.co.uk