Re: [Simple-evcorr-users] How to force SEC not to process a file from start when it is being edited.

Wed, 19 Oct 2011 04:32:42 -0700 

File-system wise, on save, the file is created from 0 bytes and repopulated,
so SEC might not know that it was a user-edit.

This could happen with nano (pico), try a more powerful editor like vim (or
emacs).

--
Justin J. Novack
Official Disturber of the Peace


On Wed, Oct 19, 2011 at 6:55 AM, Supratik Goswami
<supratiksek...@gmail.com>wrote:

> When monitoring a file using SEC, it normally tails on that file and
> any new changes can be matched against some pattern.
> If someone edits that file using any editor SEC recognizes that the
> file has been recreated and shows the below message
>
> Input file ./testdir/p has been recreated
> Shuffled ./testdir/p, reopening and processing from the start
>
> Now it will find all the matches again which it has done it earlier.
>
> Is there any way I can tell SEC to tail again without processing the
> file from the start and alert once ?
>
> --
> Warm Regards
>
> Supratik
>
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to