On 10/19/2011 01:55 PM, Supratik Goswami wrote: > When monitoring a file using SEC, it normally tails on that file and > any new changes can be matched against some pattern. > If someone edits that file using any editor SEC recognizes that the > file has been recreated and shows the below message > > Input file ./testdir/p has been recreated > Shuffled ./testdir/p, reopening and processing from the start > > Now it will find all the matches again which it has done it earlier. > > Is there any way I can tell SEC to tail again without processing the > file from the start and alert once ? > > -- > Warm Regards > > Supratik >
Unfortunately that can't be done. When the log file size decreases, it normally means that the logging process has truncated its log to 0 and some new events have been written to the beginning of the file. However, if you want to monitor specific files which get written both by processes and end users, I'd recommend to do this through FIFO's and use separate scripts to copy the file content into FIFOs. Given the fact the files are freely edited by end users, they don't seem to be regular log files, so FIFO might be a better approach for other reasons as well. kind regards, risto > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure contains a > definitive record of customers, application performance, security > threats, fraudulent activity and more. Splunk takes this data and makes > sense of it. Business sense. IT sense. Common sense. > http://p.sf.net/sfu/splunk-d2d-oct > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
