criblio
Make enable/disable of event watch types less confusing
With this scope.yml file, all event watch types are enabled. This is because our default is to have all event watch types enabled. Since no event watch types are explicitly defined, all event watch types are enabled.
cribl:
enable: true
transport:
type: tcp
tls:
enable: true
Now where things go sideways from a users point of view... With this scope.yml file, all event watch types (except for the file type) are disabled. Why? We don't have another way to disable event watch types in the config file but to omit them from the configuration.
cribl:
enable: true
transport:
type: tcp
tls:
enable: true
event:
watch:
- type: file
name: (\/logs?\/(?!zeus\.log))|(?<!zeus)(\.log$)|(\.log[.\d])
value: .*
When the user changed from the first to the second of these configs, they were only trying to customize the name filter for the file watch type. They did not intend to change any other settings, so they were surprised when all other event watch types were suddenly disabled by this change.
Perhaps we need to make the enable/disable of watch types more explicit in the config file. Trying to use inclusion or omission as enable/disable is tricky. The environment variables we provide are perhaps a more reasonable way to enable/disable.
SCOPE_EVENT_LOGFILE=true
SCOPE_EVENT_CONSOLE=true
SCOPE_EVENT_HTTP=true
SCOPE_EVENT_NET=true
SCOPE_EVENT_FS=true
SCOPE_EVENT_DNS=true
