I've loaded this rule myself without the action commented out. I also
tested a synthetic event matching your log line and it appears to works up
until the action (since I don't have the script.) This rule will always
fail to load when any of the required keyword=value pairs for the rule
type are commented out, or missing though as indicated by the error
logging for SEC.
SEC (Simple Event Correlator) 2.7.2
Reading configuration from /usr/local/sec/cfgs/test.cfg
1 rules loaded from /usr/local/sec/cfgs/test.cfg
Opening input file /data/logs/test.log
Stdin connected to terminal, SIGINT can't be used for changing the logging
level
(echo'd synthetic log line) echo "[org.apache.catalina.startup.Catalina]
Server startup in 44 ms" >> /data/logs/test.log
Executing shell command '/usr/local/sbin/pki/jboss-cpria3100-logrotate.sh'
Can't exec "/usr/local/sbin/pki/jboss-cpria3100-logrotate.sh": No such
file or directory at /usr/local/bin/sec line 3798.
Child 11623 created for command
'/usr/local/sbin/pki/jboss-cpria3100-logrotate.sh'
Child 11623 terminated with non-zero exitcode 1 (
/usr/local/sbin/pki/jboss-cpria3100-logrotate.sh )
Aaron Erickson
aaron.erick...@zootweb.com
Zoot Enterprises, Inc. www.zootweb.com
555 Zoot Enterprises Lane, Bozeman, MT 59718
406.556.7529 fax: 406.587.8414
This email, including any attachments, is confidential and may not be
redistributed without permission. If you are not an intended recipient,
you have received this message in error. Please notify us immediately by
replying to this message, and then deleting it from your computer. Thank
you.
From:
<ward.p.fonte...@wellsfargo.com>
To:
<simple-evcorr-users@lists.sourceforge.net>,
Date:
06/25/2013 12:16 PM
Subject:
Re: [Simple-evcorr-users] Pattern Match question
Thanks to all for the examples and explanations they greatly helped not
only in this but in general knowledge of how to pattern match and utilize
SEC. Below is the configuration I am using as well the new error I?m
getting. Any insight would be great.
# Prod Rules
type=Single
ptype=RegExp
pattern=\[org\.apache\.catalina\.startup\.Catalina\] Server startup in
([0-9]+) ms
desc=$0
#action=shellcmd /usr/local/sbin/pki/jboss-cpria3100-logrotate.sh
SEC (Simple Event Correlator) 2.7.1
Reading configuration from /etc/sec/sec-cpria3100-jboss.conf
Rule in /etc/sec/sec-cpria3100-jboss.conf at line 4: Keyword 'pattern'
missing (needed for SINGLE rule)
Rule in /etc/sec/sec-cpria3100-jboss.conf at line 4: Keyword 'desc'
missing (needed for SINGLE rule)
Rule in /etc/sec/sec-cpria3100-jboss.conf at line 4: Keyword 'action'
missing (needed for SINGLE rule)
Rule in /etc/sec/sec-cpria3100-jboss.conf at line 7: Keyword 'type'
missing
No valid rules found in configuration file
/etc/sec/sec-cpria3100-jboss.conf
Opening input file /var/app-serverlogs/prod/cpria3100-jboss.log
Stdin connected to terminal, SIGINT can't be used for changing the logging
level
From: ward.p.fonte...@wellsfargo.com [
mailto:ward.p.fonte...@wellsfargo.com]
Sent: Monday, June 24, 2013 9:27 AM
To: simple-evcorr-users@lists.sourceforge.net
Subject: [Simple-evcorr-users] Pattern Match question
Is there a good resource to demonstrate how to match more complex
patterns? I need to match this pattern and I?m stumped.
[org.apache.catalina.startup.Catalina] Server startup in 44 ms
Any help is greatly appreciated.
Paul Fontenot
Enterprise Key Management & Public Key Infrastructure | EIST&O | ETS | TOG
| Wells Fargo
2600 S. Price Rd. 2nd Floor | Chandler, AZ 85286
MAC S3939-022
Cell (480) 650-0301
ward.p.fonte...@wellsfargo.com
This message may contain confidential and/or privileged information. If
you are not the addressee or authorized to receive this for the addressee,
you must not use, copy, disclose, or take any action based on this message
or any information herein. If you have received this message in error,
please advise the sender immediately by reply e-mail and delete this
message. Thank you for your cooperation.[attachment "smime.p7s" deleted by
Aaron Erickson/Zoot]
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
