Hi Jeroen, This has been kicking around for a while. Let me see if I can remember... Since SEC uses time(), you would have to write a perl function that replaces that function locally. Once you do this, you have some ability to read pre-existing logs. However there are several things to consider: - Time lapses. Let's say that you read a timestamp of 03:15:10 and on the next line, the time stamp is 03:15:55. You've just crossed over 45 seconds of time. If there are SEC rules that perform window calculations, such as PairWithWindow, you must somehow account for the fact that you've skipped over those seconds- perhaps the time window expired within that 45 seconds, and there may be a resulting action that needs to happen. - External interaction. In the example above, if the action called a separate script, that called the Unix date function (to get a time stamp inside a script for example) that time would be real world clock time- not your time() function sped-up time. - Internals. SEC uses internal timestamps for certain actions. If your time() function gives SEC the wrong time, it may cause SEC problems. The nicest way to fix this would be to speed up the operation of the entire system- i.e. make time run faster for everything on the SEC host. I don't know if anyone has done that, but it would be interesting. Bottom line- I don't think it's possible. But others may have a better idea... Best Regards, Jim B.
________________________________ From: Jeroen Scheerder [mailto:[email protected]] Sent: Tue 3/31/2009 10:51 AM To: [email protected] Subject: [Simple-evcorr-users] Q - Post-hoc, non-realtime logfile processing Hi, I'm a relative newcomer to SEC. I've been exploring it with good results so far. Yet there's one thing. SEC's timestamps lines it reads with the current time. This is excellent for real-time analysis, but for later analysis that's not so hot. Syslog files are timestamped, and I'd like to use these timestamps instead of "$time = time()". Has anybody done this before, and will Pair/PairWithWindow work if I modify the read_line function to extract timestamps from loglines? Or is this a Very Bad Idea for some or other reason? Regards, Jeroen. -- Jeroen Scheerder ON2IT B.V. Steenweg 17 B 4181 AJ WAARDENBURG T: +31 418-653818 | F: +31 418-653716 W: www.on2it.nl | E: [email protected] ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ThruPoint, Inc.
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
