hi,
since you haven't mentioned any error messages in SEC log file, the problem
you are experiencing is probably caused by non-existing FIFO when 'write'
action is executed. The 'write' action works as follows -- it first checks
if the file exists and verifies its type, since writing to regular files,
FIFOs and standard output is implemented differently. However, if the file
does *not* exist, SEC creates it as a regular file and writes event into
it. This behavior is also documented in the man page. Your script does not
actually verify that its input file is a FIFO, and when looking into your
code, it would actually work for both regular files and FIFOs. Also, your
script and SEC rule do not use absolute pathnames for the FIFO, but simply
assume that the FIFO exists in the current directory. However, since
according to your e-mail your script is not seeing any input from SEC, I
suspect that you have started your script and SEC from different
directories, which causes SEC to create a regular file in its own working
directory, while the script attempts to read from a FIFO in a different
directory. I would change the SEC rule and the script to work with absolute
path names, and I would also verify the type of input from script with
if (! -p "/var/log/fifo") { die "Input is not a fifo\n"; }
Using the 'write' action also implies another caveat -- when 'write' action
is invoked for a file for the first time, SEC will keep the file open after
'write' has completed, so that the following 'write' actions for the same
file would work faster. However, when you rotate or remove this file, its
filehandle that SEC has will point to nameless file entity on the disk
(this is a known feature of all UNIX file systems). Therefore, any
subsequent 'write' through this filehandle will succeed, but will *not*
recreate the file as you might expect (therefore, this UNIX file system
feature is often used by system programmers for creating temporary files
that no other process can access). In order to resolve this issue, you have
to send the SIGUSR2 signal to SEC process after rotating/removing its
output files, so that the next execution of 'write' would force the file to
be reopened. So if in your setup the FIFO gets removed and recreated from
time to time, you have to dispatch SIGUSR2 to SEC immediately after each
FIFO removal. Another solution for this issue would be the use of
'owritecl' action which will *always* close the output file after each
write, and reopen it at next write.
kind regards,
risto
2014-10-09 6:25 GMT+03:00 andrewarnier <andrewarn...@gmail.com>:
> hi all,
>
> I want to Connecting SEC to MySQL, but when I run “/usr/bin/perl -w
> /usr/local/sbin/sec-2.7.5/sec -conf=/etc/snmp/snmptt_test_sec.cfg
> -input=/var/log/snmptt/snmptt.log” and “perl ./Db_code.pl” .
>
> My write action in snmptt_test_sec.cfg didn’t shown any wrong msg when get
> the input, but didn’t written to ./SEC_fifo,
>
>
>
>
>
> # /usr/bin/perl -w /usr/local/sbin/sec-2.7.5/sec
> -conf=/etc/snmp/snmptt_test_sec.cfg -input=/var/log/snmptt/snmptt.log
>
> SEC (Simple Event Correlator) 2.7.5
>
> Reading configuration from /etc/snmp/snmptt_test_sec.cfg
>
> 7 rules loaded from /etc/snmp/snmptt_test_sec.cfg
>
> Opening input file /var/log/snmptt/snmptt.log
>
> Interactive process, SIGINT can't be used for changing the logging level
>
>
>
>
>
> Calling code 'CODE(0xe3b820)' and setting variable '%time'
>
> Variable '%time' set to '2014-10-09 10:38:56'
>
> Writing event '3,lossOfSignal' to file SEC_fifo
>
>
>
>
>
> But ,if I In another window, enter the following:
>
> $ echo blah blah blah >> SEC_fifo
>
> $ echo blah blah blah2 >> SEC_fifo
>
> $ echo quit >> SEC_fifo
>
>
>
> which causes the script to read and process the input:
>
> Reading from FIFO...
>
> Got: [blah blah blah], inserted it.
>
> Got: [blah blah blah2], inserted it.
>
> Found a row: id = 1, line = blah blah blah
>
> Found a row: id = 2, line = blah blah blah2
>
>
>
>
>
>
>
> My sec.cfg rule :
>
>
>
> type=Single
>
> ptype=Regexp
>
> pattern=(\S+) 10.10.11.15 Loss Of Signal in (\S+)
> \(criticalServiceAffecting\),ifIndex=(.+)
>
> desc=TP-15600 Loss of signal events for interface $3 ifIndex=$4
>
> action=lcall %time -> ( sub { my(@time) = localtime(); \
>
> my($timestamp) = sprintf( "%04d-%02d-%02d %02d:%02d:%02d", \
>
> $time[5]+1900, $time[4]+1, $time[3], $time[2], $time[1], $time[0]); \
>
> return $timestamp; } );write SEC_fifo
> lossOfSignal,CISCO-15600,$2,%time,Critical,$3
>
>
>
>
>
>
>
> my DB_cod.perl:
>
>
>
>
>
> #!/usr/bin/perl
>
> #
>
> # Example S8.2.01.pl - Script to read data out of a named pipe
>
> # and write to MySQL database.
>
> #
>
> #
>
> $| = 1;
>
>
>
> use strict;
>
> use DBI();
>
>
>
> my $filename;
>
> my $inputline;
>
> my $linenumber;
>
>
>
> # Open FIFO first. FIFO must already exist.
>
> $filename = "./SEC_fifo";
>
> open(FIFO, "+< $filename") or die "FIFO error on $filename $!";
>
>
>
> # Connect to MySQL. Database 'sedb' must already exist.
>
> my $dbh = DBI->connect("DBI:mysql:database=sedb;host=X.X.X.X",
>
> "user", "pwd",
>
> {'RaiseError' => 1});
>
> eval { $dbh->do("DROP TABLE foo") };
>
> print "Dropping table foo failed: $@\n" if $@;
>
> #Create a new table 'foo'. This must not fail, thus we don't
>
> # use eval.
>
> $dbh->do("CREATE TABLE foo (id INTEGER, textline VARCHAR(80))");
>
> print "Reading from FIFO...\n";
>
> while (<FIFO>)
>
> {
>
> $inputline = $_;
>
> # Quit read loop when requested.
>
> last if($inputline =~ /quit/i);
>
> chop $inputline;
>
> $linenumber++;
>
> print "Got: [$inputline]\n ";
>
> # Insert data into table 'foo', using placeholders
>
> # $dbh->do("INSERT INTO foo VALUES (?, ?)",
>
> # undef,
>
> # $linenumber,
>
> # $inputline);
>
> # print "inserted it.\n";
>
> }
>
> # Now retrieve data from the table.
>
> my $sth = $dbh->prepare("SELECT * FROM foo");
>
> $sth->execute();
>
> while (my $ref = $sth->fetchrow_hashref()) {
>
> print "Found a row: id = $ref->{'id'}, line = $ref->{'textline'}\n";
>
> }
>
> # Drop table 'foo'. At this point, table 'foo' exists, so
>
> # we won't use an eval.
>
> $dbh->do("DROP TABLE foo");
>
> $sth->finish();
>
> # Disconnect from the database.
>
> $dbh->do("DROP TABLE foo");
>
> $sth->finish();
>
> # Disconnect from the database.
>
> $dbh->disconnect();
>
> exit;
>
>
>
>
>
> Thanks,
>
> Andrew
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://p.sf.net/sfu/Zoho
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
