Re: [Simple-evcorr-users] Filtering duplicate events

Tue, 26 Jul 2011 09:55:30 -0700 

Reformatted to eliminate top posting.

In message
<CAOPNSE-U+AjDxMHr=xx82mvxcjy4xwhfutr9ismzfml0m7g...@mail.gmail.com> ,
Elia Mariani writes:
>>> [Elia Mariani]
>>> I am trying to learn using SEC and I have encountered the following
>>> problem:
>>>
>>> I am monitoring a text file with the following simplified rule:
>>>
>>> type=Single
>>> ptype=RegExp
>>> pattern=foo\s+(\S+)
>>> desc=$0
>>> action=logonly
>>>
>>> Everytime the file is updated, SEC processes it from the start,
>>> firing rules that were already fired before. For example, when I am
>>> monitoring a file that track users logins, everytime a new user
>>> logs in, SEC processes the entire files, executing actions for
>>> every login entry. Even for those whose action has already been
>>> executed before.
>>>
>>> I would like to know if it is possible to make SEC fire rules only for new
>>> events.
>>2011/7/26 John Grasett <john.gras...@atech.com>
>>
>> How are you invoking SEC? what's the command line yo use to start it?
>sec -conf=/home/me/sec/C1.conf -input=/home/me/sec/inputStream.dat

Hmm, I am not sure why you are seeing sec reprocess the entire input
file. It doesn't do that by default and the command line you are using
won't have sec do that.

How are you adding data to the inputStream.dat file? If you add just
one line to the end of that file:

  echo "foo something" >> /home/me/sec/inputStream.dat

do you still see it reprocessing the whole file?

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Magic Quadrant for Content-Aware Data Loss Prevention
Research study explores the data loss prevention market. Includes in-depth
analysis on the changes within the DLP market, and the criteria used to
evaluate the strengths and weaknesses of these DLP solutions.
http://www.accelacomm.com/jaw/sfnl/114/51385063/
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to