Jeroen, Perhaps some simulation/analysis could be done without modifying SEC internals but by changing how you input events into SEC and scaling back the times you specified in your rules.
You could setup a "reader-feeder" program that reads your logs and feeds SEC the events with delays/sleeps in between each log line as needed. In this way I'd think most of your rules should work (except some of your calendar rules). Though then your analysis would take the actual time the log times span. Not sure that is acceptable or not. Another option, again without modifying SEC internals, is to modify your rules with time specific properties and make them non-time sensitive by removing the time element from the rule (where you can). Or if you can't remove the time element you could scale the times down by 10 for example, so a 300 second value would then be changed to 3 seconds in its rule and your "reader-feeder" program would only sleep 1 tenth of the time (as described above) between events being sent to SEC. Perhaps for some of the scenarios you're interested to analyze or simulate with SEC this may apply. Regards, Rock -----Original Message----- From: Jeroen Scheerder [mailto:[email protected]] Sent: Tuesday, March 31, 2009 4:51 AM To: [email protected] Subject: [Simple-evcorr-users] Q - Post-hoc, non-realtime logfile processing Hi, I'm a relative newcomer to SEC. I've been exploring it with good results so far. Yet there's one thing. SEC's timestamps lines it reads with the current time. This is excellent for real-time analysis, but for later analysis that's not so hot. Syslog files are timestamped, and I'd like to use these timestamps instead of "$time = time()". Has anybody done this before, and will Pair/PairWithWindow work if I modify the read_line function to extract timestamps from loglines? Or is this a Very Bad Idea for some or other reason? Regards, Jeroen. -- Jeroen Scheerder ON2IT B.V. Steenweg 17 B 4181 AJ WAARDENBURG T: +31 418-653818 | F: +31 418-653716 W: www.on2it.nl | E: [email protected] ------------------------------------------------------------------------ ------ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ***** The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from all computers. GA622 ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
