Hi,
I am stuck trying to get rsyslog to write to sec.
rsyslog is working, but I am writing the logs to a separate larger disk
called mounted at and called "varlog"
$template PerHostLog,"/varlog/remote/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%.log"
if $fromhost-ip startswith '192.168.' then -?PerHostLog
&~
If I point sec (/etc/sysconfig/sec) to the current days syslogs are at,
then life is good, so I need to use named pipes.
I am using RHEL 6.5
rsyslogd -v
rsyslogd 7.4.9, compiled with:
FEATURE_REGEXP: Yes
FEATURE_LARGEFILE: No
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
Runtime Instrumentation (slow code): No
uuid support: Yes
-
SEC (Simple Event Correlator) 2.7.4
l
I have this in my rsyslog.conf:
Module (load="omprog")
*.* action(type="omprog"
binary="/usr/local/bin/sec.sh"
template="RSYSLOG_TraditionalFileFormat")
-
sec.sh contains:
#!/bin/bash
usr/bin/sec --conf=/etc/sec/sec.conf --notail --input=-
But I cannot seem to get log messages to actually get handled by sec.
Any help will be appreciated.
Thanks,
James
------------------------------------------------------------------------------
WatchGuard Dimension instantly turns raw network data into actionable
security intelligence. It gives you real-time visual feedback on key
security issues and trends. Skip the complicated setup - simply import
a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
