Hi Risto,
Thank you a lot this is exactly what I need :)
Cheers,
Kevin
2011/6/30 Risto Vaarandi <risto.vaara...@seb.ee>:
> hi Kevin,
>
> although there is no command line option for limiting the number of
> child processes, you can check their number from a context expression.
> The info about all children is stored to SEC's internal %children hash
> with PIDs acting as keys (you can access this hash by using the main::
> prefix). Therefore,
>
> scalar(keys(%main::children))
>
> will tell you the number of child processes. For example, the following
> fairly simple rule will start at most 3 child processes for the TEST event:
>
> type=Single
> ptype=SubStr
> pattern=TEST
> context= ->( sub { return (scalar(keys(%main::children)) < 3); } )
> desc=sleep for 30 seconds
> action=shellcmd sleep 30
>
> Instead of the anonymous function and the ->( ) operator, you can also
> write
>
> =( scalar(keys(%main::children)) < 3 )
>
> which is shorter, but less efficient, because the code is compiled
> before *each* execution.
>
> hope this helps,
> risto
>
> On 06/30/2011 01:19 PM, Kevin Stevenard wrote:
>> Hello all,
>>
>> I would like to know if there is a way to limit the number of forked
>> process (used by report or shellcmd calls) that run in parallel,
>> indeed I know that logs that sec analyze for me can be huge and in
>> some circumstances we can receive a lot of logs that will trigger a
>> report command, and I think that in this kind of circumstances it can
>> impact my server if the number of tasks running in parallel is too
>> high.
>> In this special case I dont want to make use of a window to reduce the
>> number of triggered actions.
>>
>> Best Regards,
>>
>> Kevin,
>>
>> ------------------------------------------------------------------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-d2d-c2
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
