hi Joanna,
that is an interesting question which has been discussed before in the
mailing list. You can find some past threads here:
http://sourceforge.net/mailarchive/message.php?msg_id=26661175
http://sourceforge.net/mailarchive/message.php?msg_id=26662612
Although sec does not support timestamp variables in input file names, this
issue can be addressed with the following technique -- set up a symbolic
link with constant filename from sec rule(s), so that link points to input
file for the current date, and update the link each midnight to point to
input file for the new date. After this has been accomplished, one can
configure sec to monitor the symbolic link which has a constant filename.
This approach works for UNIX platforms, and as far as I know, it should
also work for cygwin perl (other windows perls do not provide decent unix
emulation for it). For example, consider the following rules:
type=Single
ptype=SubStr
pattern=SEC_STARTUP
context=SEC_INTERNAL_EVENT
desc=set symbolic link to current log file when SEC starts
action=shellcmd ln -s -f %{.year}%{.mon}%{.mday}.log log
type= Calendar
time=0 0 * * *
desc=update symbolic link for new log file at midnight
action=shellcmd ln -s -f %{.year}%{.mon}%{.mday}.log log
In the above example, the symbolic link has the name 'log', so you can
start sec with the following command line parameters:
sec-2.7.11/sec --conf=myrules.sec --input=log --reopen-timeout=5 --intevents
Note the presence of --reopen-timeout command line option. This option
tries to reopen input file after each 5 seconds if it didn't exist at SEC
startup, until the file appears and open succeeds. This option is necessary
for handling two scenarios:
1) symbolic link 'log' does not exist when sec is started (input files are
opened *before* SEC_STARTUP event is generated)
2) the file that symbolic link refers to does not exist when sec is started
This might also create a question -- what will happen if symbolic link is
updated at midnight, and what if the file it refers to does not exist yet?
When symbolic link gets updated, sec will see it as input file rotation,
and will immediately switch over to new input file. If the new file for new
date does not exist, for sec it appears as if input file has been removed
from disk, and in that case it will switch over to new input file at the
moment it gets created. The past mailing list threads mentioned above
provide a more detailed discussion how switchover happens internally.
Hope this helps,
risto
2017-08-11 10:40 GMT+03:00 Joanna Christou <ioannachris...@hotmail.com>:
>
> Hi Mr Risto,
>
>
> I would like to know if there is a way for SEC to search for the latest
file.
>
> My log files names are like -> YYYYMMDD.log (20170810.log)
>
> Please if it's possible to provide me with an example
>
>
> Kind Regards,
>
> Joanna Christou
>
>
>
------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
