[prev in list] [next in list] [prev in thread] [next in thread] 

List:       prelude-devel
Subject:    Re: [prelude-devel] Meaning of keys in table Prelude_Analyzer
From:       Yoann Vandoorselaere <yoann () prelude-ids ! org>
Date:       2003-12-12 16:55:42
Message-ID: 1071248141.764.7.camel () alph
[Download RAW message or body]

On Fri, 2003-12-12 at 17:20, Till Dörges wrote:
> Hi everyone,
> 
> I'd like to know the exact meaning for each field of the primary key of
> the table Prelude_Analyzer.

Hi,

<disclaimer>current db scheme suck</disclaimer>


> Looking at Prelude_Analyzer:

> parent_ident corresponds to Prelude_Alert.ident, I guess. Or is it
> possible that a parent_ident occurs twice? (Maybe for heart-beats?)

An alert and an heartbeat can have the same ident. They are
distinguished using the parent_type field (read ahead).

[...]

> What does 'H' and what does 'A' mean? Are these the only possible values
> for parent_type? 

H -> Heartbeat
A -> Alert

Yes, no other possible value, AFAIR.

> And what about ident?

Hummm... I guess it's an error, a duplicate of analyzerid. Don't use it.

> At present I'm unable to determine which sensor provided me with data
> because sometimes for 1 alert-ident I get 2 sensor-ids:

As said above, alert and heartbeat ID can be duplicate, so you just need
to use parent_type to get what you want...

-- 
Yoann Vandoorselaere, http://www.prelude-ids.org

"Programming is a race between programmers, who try and make more and 
 more idiot-proof software, and universe, which produces more and more 
 remarkable idiots. Until now, universe leads the race"  -- R. Cook



[prev in list] [next in list] [prev in thread] [next in thread]