Am 25.01.2011 17:50, schrieb John P. Rouillard:
In message<4d3ef192.7030...@fleetboard.com>,
M Haris Farooque writes:
I just like to know, what will happen when a file (data.log) is rotated
automatically which is actually hooked with SEC_STARTUP event as shown
in following rule definition.
type=single
ptype=substr
pattern=SEC_STARTUP
continue=TakeNext
context=SEC_INTERNAL_EVENT
desc=$0
action= spawn /usr/bin/tail -f /var/log///data.log
like in my case, data.log is rotated automatically when the file size
exceeds 1GB. It is moved/renamed (as timestamp is appended at the end of
its name) and new file 'data.log' (of 0 byte) is touched.
do SEC continue operating with the new file without problem?
You are using tail -f and not tail -F, so it won't jump to the new
file. In my version of tail the two are different. From the man
page:
-f, --follow[={name|descriptor}]
output appended data as the file grows; -f, --follow, and
--follow=descriptor are equivalent
-F same as --follow=name --retry
[...]
With --follow (-f), tail defaults to following the file
descriptor, which means that even if a tail'ed file is renamed,
tail will continue to track its end. This default behavior is not
desirable when you really want to track the actual name of the
file, not the file descriptor (e.g., log rotation). Use
--follow=name in that case. That causes tail to track the named
file by reopening it periodically to see if it has been removed
and recreated by some other program.
It's been a while since I have done it but tail -F /var/log/data.log
should continue reporting data from the rotated log file. IIRC tail
also reports when the file is rotated, so you will need to put a rule
in your SEC ruleset to capture the output from tail when the log file
is rotated.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
Thanks John, i will try it.
/@ Ristoo : ... why not to follow this file with the --input command
line option?.../
Let me explain you what I am doing. actually in my case, SEC is not
taking input from the Server Log file (server.log). what I am doing is
running an input-driver (separate program) along with SEC, this input
driver is constantly reading the server.log and whenever a new line is
logged in, the driver writes it back in the data.log file which is
hooked with SEC by the rule specified in my earlier email.
about user input through PIPE; a user can request to view current status
of the caputered events. To make this possible, I need some SEC contexts
information from context.dump. I have another rule which creates
context.dump file. this context.dump is parsed by an external program to
generate a report for the user. and this is done by sending an input
pattern 'Genrate Report' to the defined rule through the PIPE.
my implemented scenario is complex but this is the only solution I found
to deal with the requirements.
thanks
--
Kind Reagrds/Mit freundlichen Grüßen
M Haris Farooque
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
