I think the problem may be that sysread is limiting to 1024 because that is how the RFC defines a syslog message - it's not supposed to exceed that. Whatever system that's sending messages of 1600 bytes isn't following the rules of the protocol...shame on them?
http://www.faqs.org/rfcs/rfc3164.html (see section 4.1) On Fri, Oct 23, 2009 at 6:17 PM, Ronald San Juan <ronald.sanj...@telus.com> wrote: > Hi, > > I am using SEC v2.5. The problem I have is SEC doesn't seem to read on lines > with over 1024 characters in length. I found out that it is using sysread() > which has limitations to 1024 characters. > > Scenario:The logfile has lines reaching 1600 characters in length. > > rule: > > type=singlewiththreshold > ptype=regexp > pattern=(routing.jsp_servlet._dialogs) > desc=$0 > action=write - $0 > window=10 > thresh=10 > > result: > > When thresh is set to 10, the rule is loaded but I do not get any result. > The threshold is definitely being met as the pattern occurs at least 10 > times per second. When I set the thresh to 1, I get the results. Basically, > setting the thresh to any number greater than one does not trigger the > alarm. > > I'm thinking beacause of the limitation of sysread to 1024 characters, SEC > is unable to process multiple lines in a singlewiththreshold window. > > I tried the same rule to a similar file whose characters per line does not > exceed 1024 and it works fine. > > Is there a way to bypass this without having to split the lines? Is there a > function I can use to replace sysread(1024)? > > Any help will do. Thanks in advance. > > > Regards, > > Ronald > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > -- ______________________________________________________________ Clayton Dukes ______________________________________________________________ ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
