Hi, To start sec, I need to start it in background it seems, right?
/etc/rc3.d/S98sec start Starting up Syslog Event Correlator: SEC (Simple Event Correlator) 2.5.0 Changing working directory to / Reading configuration from /usr/local/etc/sec/sec.rules SEC (Simple Event Correlator) 2.5.0 ^Z [1]+ Stopped /etc/rc3.d/S98sec start Also, sec.rules looks now type=Single ptype=RegExp pattern=error desc=$0 action=pipe '%s' /usr/bin/mail -s 'error detected' [email protected] Here I assumes that whenever syslog has error (case not sensitive) entry, sec will send me an email. Correct? And when I have more than 1 pattern, can I put then in a single pattern entry? e.g. pattern=error,warning Finally, I can specify the file that I can apply SEC to it in sec.start: -input=/any/file.log Correct? thank you --- On Thu, 2/12/09, Risto Vaarandi <[email protected]> wrote: > From: Risto Vaarandi <[email protected]> > Subject: Re: [Simple-evcorr-users] installation and configuration guide > To: [email protected] > Cc: [email protected] > Date: Thursday, February 12, 2009, 8:08 AM > hi, > there are three steps here: > > 1) Install SEC itself -- since currently there is no > package file for Solaris, get the source distribution, > unpack it, and copy the sec.pl file from the distribution to > the /usr/local/bin directory > > 2) Create a proper startup file for SEC > (/etc/rc3.d/S98sec), so that SEC would be started at the > next system boot. For that you can use a sample startup file > from the distribution -- have a look at > contrib/startup.solaris and edit it according to your needs. > Basically you have to remove the first 4-5 lines up to > #!/bin/bash. Also, the last few lines beginning with > "#---------/usr/local/etc/sec/sec.start" should go > to a separate file called /usr/local/etc/sec/sec.start > > 3) Create the /usr/local/etc/sec/sec.rules file and add > rules there what you consider important. If you are new to > SEC, I would recommend to begin with a couple of Single or > SingleWithSuppress rules for monitoring common fault > conditions. > > Basically, the Single rule looks like this: > > type=Single > ptype=RegExp > pattern=your_regular_expression > desc=$0 > action=pipe '%s' /usr/bin/mail -s 'syslog > alert' root > > You have to identify the log messages you want to be > alerted on, and then write regular expressions for matching > these messages. > > Unfortunately, there is no out-of-the-box rule file for > Solaris at the rule repository, since the things people want > to monitor depend on the local environment a lot (log > messages that are not so relevant for one site are highly > important for other sites). > > br, > risto > > > Gabriele Giorelli wrote: > > Hello, > > > > I want to install sec on a solaris 10 box and then > monitor the syslog file for several patterns. > > > > Can you please assist on the install and config part? > > > > thanks, > > > > > > > > > > > ------------------------------------------------------------------------------ > > Create and Deploy Rich Internet Apps outside the > browser with Adobe(R)AIR(TM) > > software. With Adobe AIR, Ajax developers can use > existing skills and code to > > build responsive, highly engaging applications that > combine the power of local > > resources and data with the reach of the web. Download > the Adobe AIR SDK and > > Ajax docs to start building applications > today-http://p.sf.net/sfu/adobe-com > > _______________________________________________ > > Simple-evcorr-users mailing list > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
