Hi Honia,
I took a look at your setup and made the following changes for testing:
type=Single
ptype=RegExp
pattern=\[\d{4}(-\d\d){2}
(\d\d:){2}\d\d\].\s*Notification:\sseverity\s*=\s*([^,]*),\s*message\s=.\s*(\S+)\|(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\|(CONFIG)
desc=$0
action=write - OKOKOKOK:
Honia,
are you running SEC in the daemon mode (with the -detach option)? If so, all
scripts in your rule files *must* be specified with full path names, since in
the daemon mode SEC changes its working directory to /.
Also, have you activated logging for SEC with the -log option? If so, what
A quick question -- did you save the foobar string into your input file
_before_ starting SEC? SEC does not read in already existing lines by default,
but rather jumps to the end of the file and waits for new lines to arrive. Try
to start SEC first and then type 'echo foobar yourfile' -- does