> hi Gonzalo, > from the crontab line you have given, I can conclude that > the file is not overwritten, but new data are simply > appended to it (the >> operator means append, while > > truncates the file before writing). In the case of > >> SEC has no issues with monitoring the file, since > new events are normally added to log files by appending.
As a sidenote -- with the > operator things would look different, since > could write more bytes to the file than the original file size. In that case it is impossible for SEC to distinguish it from the append operation, since the file i-node number is still the same and the file size has increased. Fortunately, there is a simple solution to it: mycommandline /log/seclog >/log/tempfile; mv -f /log/tempfile /log/seclog will overwrite /log/seclog by assigning the i-node and file blocks of /log/tempfile to it. Since the i-node number of /log/seclog changes, SEC will realize that the file has been overwritten and will process it from the beginning. hth, risto > > > Hi all, > > > > I have a file that is going to be monitorized with > sec, but > > this file is > > rewriten every 4 minutes, on this simplified way via > > crontab > > > > */4 * * * * cat /log/original_file.log | sort -n > >> > > /log/sortened_file.log > > > > And now i need to setup some alerts using that > sortened > > file, this alerts > > will use contexts, singlewith thresholds and so, and > i'm > > not sure about > > how sec will handle this alerts if the file is > rewriten > > every 4 minutes. > > > > anyone here have been on a similar situation? > > > > Thanks and regards form Zaragoza > > > > > > > ------------------------------------------------------------------------------ > > ThinkGeek and WIRED's GeekDad team up for the Ultimate > > > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to > the > > lucky parental unit. See the prize list and enter > to > > win: > > http://p.sf.net/sfu/thinkgeek-promo > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > ------------------------------------------------------------------------------ > ThinkGeek and WIRED's GeekDad team up for the Ultimate > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the > lucky parental unit. See the prize list and enter to > win: > http://p.sf.net/sfu/thinkgeek-promo > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
