My mistake..I was simulating the input stream by manually writing in the
file, which was being recreated everytime I saved it. When I started the
real stream, SEC began working as intended :)
Thanks for the help!
2011/7/26 John Grasett <john.gras...@atech.com>
> That looks like it should work...and how are you simulating the streaming
> file, or is it a real streaming log?
>
>
>
> -----Elia Mariani <chaotic.eng...@gmail.com> <chaotic.eng...@gmail.com>wrote:
> -----
>
> To: John Grasett <john.gras...@atech.com> <john.gras...@atech.com>
>
> From: Elia Mariani <chaotic.eng...@gmail.com> <chaotic.eng...@gmail.com>
> Date: 07/26/2011 05:18PM
> Cc: simple-evcorr-users@lists.sourceforge.net
> Subject: Re: [Simple-evcorr-users] Filtering duplicate events
>
>
> sec -conf=/home/me/sec/C1.conf -input=/home/me/sec/inputStream.dat
>
>
> 2011/7/26 John Grasett <john.gras...@atech.com>
>
>> How are you invoking SEC? what's the command line yo use to start it?
>>
>> Cheers!
>>
>> John G.
>>
>> Date: Tue, 26 Jul 2011 15:51:01 +0200
>> From: Elia Mariani <chaotic.eng...@gmail.com> <chaotic.eng...@gmail.com>
>> Subject: [Simple-evcorr-users] Filtering duplicate events
>> To: simple-evcorr-users@lists.sourceforge.net
>> Message-ID:
>> <caopnse8fvrw9qxhb3zmj4r6+asaadm2mzt__tk-9+sn1gj5...@mail.gmail.com><caopnse8fvrw9qxhb3zmj4r6+asaadm2mzt__tk-9+sn1gj5...@mail.gmail.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>>
>> Hello,
>>
>> I am trying to learn using SEC and I have encountered the following
>> problem:
>>
>> I am monitoring a text file with the following simplified rule:
>>
>> type=Single
>> ptype=RegExp
>> pattern=foo\s+(\S+)
>> desc=$0
>> action=logonly
>>
>> Everytime the file is updated, SEC processes it from the start, firing
>> rules
>> that were already fired before. For example, when I am monitoring a file
>> that track users logins, everytime a new user logs in, SEC processes the
>> entire files, executing actions for every login entry. Even for those
>> whose
>> action has already been executed before.
>>
>> I would like to know if it is possible to make SEC fire rules only for new
>> events.
>>
>> Thanks for the help.
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>>
>> ------------------------------
>>
>>
>> ------------------------------------------------------------------------------
>> Magic Quadrant for Content-Aware Data Loss Prevention
>> Research study explores the data loss prevention market. Includes in-depth
>> analysis on the changes within the DLP market, and the criteria used to
>> evaluate the strengths and weaknesses of these DLP solutions.
>> http://www.accelacomm.com/jaw/sfnl/114/51385063/
>>
>> ------------------------------
>>
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>>
>> End of Simple-evcorr-users Digest, Vol 60, Issue 1
>> **************************************************
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Magic Quadrant for Content-Aware Data Loss Prevention
>> Research study explores the data loss prevention market. Includes in-depth
>> analysis on the changes within the DLP market, and the criteria used to
>> evaluate the strengths and weaknesses of these DLP solutions.
>> http://www.accelacomm.com/jaw/sfnl/114/51385063/
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>>
>
------------------------------------------------------------------------------
Got Input? Slashdot Needs You.
Take our quick survey online. Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
