mrash
Disable CHECK_INTERVAL when using journalctl
If we are getting all our data from journalctl, I don't see a point in using the old polling method. This is an attempt to allow psad to wait for IO activity instead of waiting for a timeout.
I am using this for my personal servers with no ill effects. I am not asking you to accept this pull request but I do ask that you consider the idea.
Since can_read() blocks by default, I removed the timeout to allow psad to wait until it receives activity from the child process watching journalctrl (well actually I gave it a timeout of 120 since I guess we would not want it to accidentally block forever if the background process got killed). Once activity is detected we enter a second state defined by the while loop that calls can_read() with a short timeout. This is due to the fact that since we are reading from a pipe, we will never get an EOF and thus a normal read would block forever. Once the second read times out, the process then flows though the normal process (minus the last sleep $config{'CHECK_INTERVAL'}).
I did add a hard limit of @fw_packets < 10 since on a busy host this read would never time out, though perhaps we could set it to $config{'FW_MSG_READ_MIN_PKTS'}
Thanks, this looks like a great addition. I will do some testing over the next couple of days.
