> Another question -- are there any error messages in the SEC log file > about the scripts that have not been executed? > > Nop, debug and error.log are empty, 0 bytes, also, when i tested the sec > file with the input=- option, all rules were loaded properly. > > Have you sent the SIGUSR1 signal to the SEC process, in order to check if > SEC has all log files open?<-- Nop, and not sure how to do this, will > investigate it. >
If you execute "kill -USR1 <SEC process ID>", a lot of information about the internal state of SEC will be written to /tmp/sec.dump. Among other information, you can see which input files are currently open, how much data have been read from each file, how many events each rule has matched, what event correlation operations are currently active, etc. In other words, there is a lot of valuable info that is helpful in the debugging process. hope this helps, risto ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
