Nevermind... I found out it was simply the order of the SEC_ARGS statements...
You have to list them in the correct sequential order in the file...
for example, this won't work:
SEC_ARGS[1]="-detach -conf=/etc/sec/firewall/*.sec
-input=/data/syslog/firewall/firewall-amer.log -log=/var/log/sec.firewall
-intevents -pid=/var/run/sec.firewall.pid"
SEC_ARGS[2]="-detach -conf=/etc/sec/*.sec
-input=/home/syslog/network/network-amer.log -log=/var/log/sec.network
-intevents -pid=/var/run/sec.pid"
SEC_ARGS[0]="-detach -conf=/etc/sec/wireless/*.sec
-input=/data/syslog/wireless/wireless-amer.log -log=/var/log/sec.wireless
-intevents -pid=/var/run/sec.wireless.pid"
Sorry about the spam.
-mike
________________________________
From: Michael Kantowski <mjkantow...@yahoo.com>
To: sec <simple-evcorr-users@lists.sourceforge.net>
Sent: Friday, January 27, 2012 4:01 PM
Subject: [Simple-evcorr-users] Multiple instances of SEC
Hello,
I really like SEC.
I was able to set up two instances of SEC, but when trying to add a third, it
doesn't seem to work. Here is what it looks like when I start the sec service:
----
[root@alf sec]# service sec start
Starting sec instance 1: SEC (Simple Event Correlator) 2.6.1
Changing working directory to /
Reading configuration from /etc/sec/firewall/firewall.sec
2 rules loaded from /etc/sec/firewall/firewall.sec
Opening input file /data/syslog/firewall/firewall-amer.log
[ OK ]
Starting sec instance 2: SEC (Simple Event Correlator) 2.6.1
Changing working directory to /
Reading configuration from /etc/sec/layer3.sec
11 rules loaded from /etc/sec/layer3.sec
Reading configuration from /etc/sec/netscreen.sec
4 rules loaded from /etc/sec/netscreen.sec
Reading configuration from /etc/sec/spantree.sec
1 rules loaded from /etc/sec/spantree.sec
Opening input file /home/syslog/network/network-amer.log
[ OK ]
Starting sec instance 3:
[root@alf sec]#
-----
I've gone over all of the configuration items and I see no reason why instance
3 would not start up. In fact, if I disable one of the two instances, then the
instance that was failing to start has no problem starting. So I am only able
to get two instances running at once.
thanks,
Mike
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
