Gabriele Giorelli wrote: > Hi, > > To start sec, I need to start it in background it seems, right? > > /etc/rc3.d/S98sec start > > Starting up Syslog Event Correlator: SEC (Simple Event Correlator) 2.5.0 > Changing working directory to / > Reading configuration from /usr/local/etc/sec/sec.rules > SEC (Simple Event Correlator) 2.5.0 > > ^Z > [1]+ Stopped /etc/rc3.d/S98sec start >
Hmmm, with the startup file and startup options you have, SEC should go into background automatically (have you preserved the -detach option in the /usr/local/etc/sec/sec.start file?). It actually goes to background in your case -- there is a message "Changing working directory to /" in its output which is logged only if SEC switches to daemon mode. > Also, sec.rules looks now > > type=Single > ptype=RegExp > pattern=error > desc=$0 > action=pipe '%s' /usr/bin/mail -s 'error detected' [email protected] > > Here I assumes that whenever syslog has error (case not sensitive) entry, sec > will send me an email. Correct? > > > And when I have more than 1 pattern, can I put then in a single pattern entry? > e.g. > pattern=error,warning Well, not with using the comma! SEC accepts a wide variety of things as patterns, but regular expression patters (pattern type 'RegExp') are perhaps most commonly used. If you have had only limited experience with regular expressions, type the following command perldoc perlretut which should give you a good overview of the Perl regular expression dialect. However, in order to provide you a short answer, you might want to use the following regular expression pattern: (?:error|warning) This captures both "error" and "warning" strings without assigning them to a special variable. > > Finally, I can specify the file that I can apply SEC to it in sec.start: > -input=/any/file.log > > Correct? exactly, use the -input option for that. hth, risto > > thank you > > ------------------------------------------------------------------------------ Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
