In message <fe95c4b2-b64d-41ce-ac04-fc4ac526e...@pobox.com>,
Don Faulkner writes:
>I know this isn't the best way to do things, but...
But it is useful.
>Has anyone had any success throwing email messages at SEC? how did you
>do it?
Couple of ways:
Have SEC follow a pipe (mknod /var/run/sec/email) and in your aliases
(or .forward) set up the cat command to write data to the pipe.
| /bin/cat > /var/run/sec/email
no need for file rotation, but harder to debug as you don't have a
copy of the input data (| tee /tmp/hardcopy > /var/run/sec/email works
to get around this, although you do need to rotate /tmp/hardcopy at
some point).
You can also have sec tail the spool file /var/spool/mail/sec and have
it perform the rotation using a calendar command like:
type = calendar
time = 0 6 * * *
desc = rotate /var/spool/mail/sec once a day (core)
action = shellcmd /bin/mv %eventStreamFile %{eventStreamFile}.old; \
shellcmd /bin/touch %eventStreamFile
The touch is optional. You may just want to have sec wait till the
file is recreated normally by sendmail/fetchmail etc.
>I have some devices that prefer to send me mail when interesting
>events occur. I'd like SEC to "read" the mail from those systems and
>do the right thing, either emailing me about real problems, or taking
>other actions as necessary.
>
>My first thought is to pull the mail via some mechanism (pop3, imap,
>etc.), and have procmail push the messages from my devices into a flat
>file that SEC would use as an input.
Well polling has the issue that you are turning a more or less
continuous stream of data into descrete units every poll cycle.
If you have exchange or something handling your mail that's the best
you can do. Remember that the timing will be wonky when you create
your analysis rules.
Saying data from two seperate messages must come in 1 minute after
another when you poll every 5 minutes means that rule may not fire
when you need it to. So all your windows have to account for the
second half of a pair rule coming in the following poll cycle even
though they are generated much more closely together in time.
>I don't know how this would work
>as that file grows. Eventually, it will have to rotate, which I assume
>I could just handle with standard Linux/Solaris log-rotation tools.
Or just mv as above.
>Ideally, the interesting lines in the email would end up in syslog or
>some such place for uniformity as well.
Use logger(1) from a sec shellcmd to generate the syslog entry.
>Am I going down the right path?
Well you are going down a well traveled path at least.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
