Hi Martin,
I like to configure rsyslog to write out to a file in /dev/shm (tmpfs)
and then have sec tail that. It provides the added benefit of a
single file to tail to get all logs coming in to rsyslog, which might
be tricky otherwise if you are breaking your log files out by date,
hostname
What I do is:
module(load="omprog")
$template myformat,"%hostname%"
action(type="omprog" name="myname" binary="/usr/bin/sec
--conf=/etc/sec/myname --intevents --intcontexts
--dump=/tmp/dumpfile.myname --debug=3 --log=/var/log/sec-myname
--notail --input -" template="myformat"
hi Martin,
that's a very good question. Since you want to avoid creating an extra file
on disk, the best communication option is a pipe from rsyslog to sec. The
rsyslog's omprog module allows for running another program and feeding
events to the standard input of the program through a pipe. In the
Hi , i am a noob with sec, i already have a rsyslog sending all logs to
elasticsearch, but i want that some specific events sec triggers a mail to
me.
Maybe is a always asked question , but i didnĀ“t find information about
rsyslog sending the logs (without a file) directly to sec.
Thanks in
