Hayward, Ben wrote: > Hi List, > I have a challenge to have SEC trigger upon log NOT having a current > time stamp > on the file. The challenge is that the application sometimes hangs, NOT > writing > to log. I suppose I could look for current time stamp in last log line? > > Any help from the esteemed group is greatly appreciated > > > Kind Regards, > > ben > >
hi Ben, you could also use the following ruleset: type=Calendar time=* * * * * desc=sshd checks action=event SSHD_CHECK type=PairWithWindow ptype=SubStr pattern=SSHD_CHECK desc=SSHD_INACTIVE action=event %s ptype2=RegExp pattern2=sshd\[\d+\]: desc2=SSHD_ACTIVE action2=event %s window=600 type=Pair ptype=SubStr pattern=SSHD_INACTIVE desc=sshd has been inactive for 10 minutes action=logonly ptype2=SubStr pattern2=SSHD_ACTIVE desc2=sshd has become active again action2=logonly window=86400 The first rule creates SSHD_CHECK synthetic events every minute which are matched by the second rule. After the second rule has matched this event, a message for local SSH daemon is expected to arrive within 10 minutes.If the message does not arrive in time, SSHD_INACTIVE synthetic event is created, otherwise SSHD_ACTIVE event is produced. If the third rule sees SSHD_INACTIVE event, it produces a log message "sshd has been inactive for 10 minutes" and waits for SSHD_ACTIVE event for 1 day. If the latter arrives, a log message "sshd has become active again" is produced. In the case sshd is inactive for more than 1 day, the third rule produces another error message after 24 hours. hth, risto ------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
