Good stuff, thanks for the help! Here's what I ended up using: ################################################# # SEC Startup type=Single desc=Module load and range setup ptype=SubStr pattern=SEC_STARTUP context = [SEC_INTERNAL_EVENT] action = shellcmd /usr/bin/tail -F /tmp/sec.log | /www/svn/php-syslog-ng/scripts/sec_db_insert.pl
On Fri, Jun 26, 2009 at 1:32 PM, John P. Rouillard<rou...@cs.umb.edu> wrote: > > In message <4a450337.8010...@seb.ee>, > Risto Vaarandi writes: > >>John P. Rouillard wrote: >>> Somebody else who'se attribution was dropped said: >>>> Here's what I have: >>>> ################################################# >>>> # %CCM_CALLMANAGER-CALLMANAGER >>>> type=Single >>>> ptype=RegExp >>>> pattern=(.*CCM_CALLMANAGER-CALLMANAGER.*) >>>> desc=CallManager >>>> action=write /tmp/sec.log $1 >>>> action=shellcmd tail -F /tmp/sec.log | >>>> /www/svn/php-syslog-ng/scripts/sec_db_insert.pl >>> >>> Hmm, that should throw an error I think. Two action statements aren't >>> valid AFAIK. Risto? >> >>Actually, the later 'action' value overrides the earlier one. So for >>having two actions, one has to write them as a list to one 'action' >>field, with a semicolon acting as a separator. > > Ok, that's what I thought. So I claim having two action statements is > almost always an error. Maybe sec should issue a warning on startup > when parsing the rule? Something like: > > Multiple action values detected for rule in filename.sr starting at > line 33. Using only the last value. > > -- > -- rouilj > John Rouillard > =========================================================================== > My employers don't acknowledge my existence much less my opinions. > > ------------------------------------------------------------------------------ > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > -- ______________________________________________________________ Clayton Dukes ______________________________________________________________ ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
