Even if it were possible to delete say 100 bytes from the front of the file, how would SEC know that it needed to skip back 100 bytes to keep it's concept of the current location in the file? Imagine a scenario with multiple write to the end of the file, some of which SEC has processed, but some it hasn't. Then 100 bytes at the front of the file get removed. How could this possibly work?
Eric. On 10/19/2011 7:56 AM, Justin J. Novack wrote: > Again, the main thing here is that SEC doesn't care, it is the OS at > fault (for doing it correctly). Your editor recreates the file from 0 > bytes, so how is SEC to know it's not a new file? > > Try other methods of editing the file, like sed or diff if you are > crafty. If you are just adding content to the end, do a "echo >>". > Otherwise, stop editing the file that SEC wants to sequential read :) > Or write an intermediary process. > > It's not SEC's fault, it doesn't know it's the same file. > > -- > Justin J. Novack > Official Disturber of the Peace > > > On Wed, Oct 19, 2011 at 7:47 AM, Supratik Goswami > <supratiksek...@gmail.com <mailto:supratiksek...@gmail.com>> wrote: > > Yes it is happening with vim. > > Is there any way to tell SEC not to repopulate? > > On Wed, Oct 19, 2011 at 5:01 PM, Justin J. Novack <jnov...@gmail.com > <mailto:jnov...@gmail.com>> wrote: > > File-system wise, on save, the file is created from 0 bytes and > repopulated, > > so SEC might not know that it was a user-edit. > > This could happen with nano (pico), try a more powerful editor > like vim (or > > emacs). > > -- > > Justin J. Novack > > Official Disturber of the Peace > > > > > > On Wed, Oct 19, 2011 at 6:55 AM, Supratik Goswami > <supratiksek...@gmail.com <mailto:supratiksek...@gmail.com>> > > wrote: > >> > >> When monitoring a file using SEC, it normally tails on that file and > >> any new changes can be matched against some pattern. > >> If someone edits that file using any editor SEC recognizes that the > >> file has been recreated and shows the below message > >> > >> Input file ./testdir/p has been recreated > >> Shuffled ./testdir/p, reopening and processing from the start > >> > >> Now it will find all the matches again which it has done it earlier. > >> > >> Is there any way I can tell SEC to tail again without processing the > >> file from the start and alert once ? > >> > >> -- > >> Warm Regards > >> > >> Supratik > >> > >> > >> > > ------------------------------------------------------------------------------ > >> All the data continuously generated in your IT infrastructure > contains a > >> definitive record of customers, application performance, security > >> threats, fraudulent activity and more. Splunk takes this data and > makes > >> sense of it. Business sense. IT sense. Common sense. > >> http://p.sf.net/sfu/splunk-d2d-oct > >> _______________________________________________ > >> Simple-evcorr-users mailing list > >> Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > -- > Warm Regards > > Supratik > > > > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure contains a > definitive record of customers, application performance, security > threats, fraudulent activity and more. Splunk takes this data and makes > sense of it. Business sense. IT sense. Common sense. > http://p.sf.net/sfu/splunk-d2d-oct > > > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
