Hi,
I am using SEC v2.5. The problem I have is SEC doesn't seem to read on lines
with over 1024 characters in length. I found out that it is using sysread()
which has limitations to 1024 characters.
Scenario:The logfile has lines reaching 1600 characters in length.
rule:
type=singlewiththreshold
ptype=regexp
pattern=(routing.jsp_servlet._dialogs)
desc=$0
action=write - $0
window=10
thresh=10
result:
When thresh is set to 10, the rule is loaded but I do not get any result. The
threshold is definitely being met as the pattern occurs at least 10 times per
second. When I set the thresh to 1, I get the results. Basically, setting the
thresh to any number greater than one does not trigger the alarm.
I'm thinking beacause of the limitation of sysread to 1024 characters, SEC is
unable to process multiple lines in a singlewiththreshold window.
I tried the same rule to a similar file whose characters per line does not
exceed 1024 and it works fine.
Is there a way to bypass this without having to split the lines? Is there a
function I can use to replace sysread(1024)?
Any help will do. Thanks in advance.
Regards,
Ronald
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
