I'm using syslog-ng to pipe events to SEC 2.7.4. In some times in what
seems to be higher volumes of syslog traffic(Maybe 100 log
messages/sec), I don't see SEC taking action on some rules(it's not
making into the SEC logfile). I do not have any rate limiting setup for
said rules.
Here's an example of a rule that seems to processed intermittently:
type=Single
continue=DontCont
ptype=RegExp
pattern=\S+\s+\S+\s+\S+\s+(\S+).domain.com clamscan: Time: (\S+) sec .*
- <user.notice>
desc=$0
action=shellcmd /usr/local/zabbix/
The above rule might have about 15 hours reporting data within a 15
minute period. Additionally, there are no other rules that would match
this(trying to rule out a window)
Syslog-ng config:
destination log_watch {
program("/usr/local/sbin/sec.pl -input=\"-\" -conf
/etc/sec.conf -debug=5 -log=/var/log/sec.log -dump=/tmp/sec.dump"
template(t_fp));
};
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
