Thank you Risto. I adjusted the config file and it works fine.
however, the action (which is to send me an email with the entry that has the pattern) is not performed. The action is: action=pipe '%0' /usr/bin/mailx -s '[SEC] $s' [email protected] in the log: Feeding event '%0' to shell command '/usr/bin/mailx -s '[SEC] $s' [email protected]' What am I missing? thanks --- On Thu, 2/12/09, Risto Vaarandi <[email protected]> wrote: > From: Risto Vaarandi <[email protected]> > Subject: Re: [Simple-evcorr-users] installation and configuration guide > To: [email protected] > Cc: [email protected] > Date: Thursday, February 12, 2009, 10:37 AM > Gabriele Giorelli wrote: > > Hi, > > > > To start sec, I need to start it in background it > seems, right? > > > > /etc/rc3.d/S98sec start > > > > Starting up Syslog Event Correlator: SEC (Simple Event > Correlator) 2.5.0 > > Changing working directory to / > > Reading configuration from > /usr/local/etc/sec/sec.rules > > SEC (Simple Event Correlator) 2.5.0 > > > > ^Z > > [1]+ Stopped /etc/rc3.d/S98sec start > > > > Hmmm, with the startup file and startup options you have, > SEC should go into background automatically (have you > preserved the -detach option in the > /usr/local/etc/sec/sec.start file?). > It actually goes to background in your case -- there is a > message "Changing working directory to /" in its > output which is logged only if SEC switches to daemon mode. > > > Also, sec.rules looks now > > > > type=Single > > ptype=RegExp > > pattern=error > > desc=$0 > > action=pipe '%s' /usr/bin/mail -s 'error > detected' [email protected] > > > > Here I assumes that whenever syslog has error (case > not sensitive) entry, sec will send me an email. Correct? > > > > > > And when I have more than 1 pattern, can I put then in > a single pattern entry? > > e.g. > > pattern=error,warning > > Well, not with using the comma! > > SEC accepts a wide variety of things as patterns, but > regular expression patters (pattern type 'RegExp') > are perhaps most commonly used. If you have had only limited > experience with regular expressions, type the following > command > > perldoc perlretut > > which should give you a good overview of the Perl regular > expression dialect. > > However, in order to provide you a short answer, you might > want to use the following regular expression pattern: > > (?:error|warning) > > This captures both "error" and > "warning" strings without assigning them to a > special variable. > > > > > Finally, I can specify the file that I can apply SEC > to it in sec.start: > > -input=/any/file.log > > > > Correct? > > exactly, use the -input option for that. > > hth, > risto > > > > > thank you > > > > ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
