2015-07-15 23:07 GMT+03:00 David Lang <da...@lang.hm>:
> On Wed, 15 Jul 2015, Risto Vaarandi wrote:
>
> Hi David,
>> I noticed that sec is running without --notail option, but this causes sec
>> to stay around even after rsyslog has closed the write end of the pipe. I
>> would suggest including the --notail option in the sec command line which
>> causes it to exit when rsyslog closes the pipe (for more information,
>> there
>> is also a relevant entry in the sec FAQ).
>>
>
> Thanks, that will solve the problem of alerting, but it won't give me info
> on what else is going on.
>
> when rsyslog exits, it properly stops sec, and I am not seeing anything in
> the rsyslog logs to indicate what's going on from it's point of view.
>
Is my understanding correct that you would like to have sec running even
after rsyslog has exited, and have ways to re-establish the connection
between sec and rsyslog when rsyslog starts again? If so, I'd recommend to
use a named pipe (FIFO) instead of a memory based pipe, and run sec
*without* the --notail option on the named pipe.
risto
>
> even if I have SEC configured with a shutdown action to save state, the
> new copy will already be running before the old copy gets a chance to do
> anything.
>
> before today I thought this was associated with log rotation, but while I
> see some of this that is happening at the log rotation time, I'm seeing
> other times well clear of the minute boundry when log rotation takes place.
>
> David Lang
>
>
> Kind regards, risto
>> On Jul 15, 2015 10:29 PM, "David Lang" <da...@lang.hm> wrote:
>>
>> I have rsyslog starting sec with lines like:
>>>
>>> action(type="omprog" name="sec-heartbeat" binary="/usr/bin/sec
>>> --conf=/etc/sec/missing-logs --intevents --intcontexts
>>> --dump=/tmp/dumpfile.missing-logs --debug=5
>>> --log=/var/log/sec-missing-logs
>>> --input -" template="manual" hup.signal="USR2")
>>>
>>> I'm running into a problem where sec is 'lost' by rsyslog. Rsyslog starts
>>> a new
>>> copy, but the instance of sec continues to run (and causes alerts based
>>> on
>>> the
>>> lack of new input)
>>>
>>> the log at debug level 5 shows things like:
>>>
>>> Wed Jul 15 11:14:01 2015: SIGUSR2 received: closing outputs and
>>> restarting
>>> logging
>>> Wed Jul 15 11:14:01 2015: Creating SEC internal context
>>> 'SEC_INTERNAL_EVENT'
>>> Wed Jul 15 11:14:01 2015: Creating SEC internal event 'SEC_LOGROTATE'
>>> Wed Jul 15 11:14:01 2015: Deleting SEC internal context
>>> 'SEC_INTERNAL_EVENT'
>>> Wed Jul 15 11:14:27 2015: SEC (Simple Event Correlator) 2.7.5
>>> Wed Jul 15 11:14:27 2015: Reading configuration from
>>> /etc/sec/missing-logs
>>> Wed Jul 15 11:14:27 2015: Opening input file -
>>> Wed Jul 15 11:14:27 2015: Creating SEC internal context
>>> 'SEC_INTERNAL_EVENT'
>>> Wed Jul 15 11:14:27 2015: Creating SEC internal event 'SEC_STARTUP'
>>> Wed Jul 15 11:14:27 2015: Deleting SEC internal context
>>> 'SEC_INTERNAL_EVENT'
>>> Wed Jul 15 11:14:35 2015: SEC (Simple Event Correlator) 2.7.5
>>> Wed Jul 15 11:14:35 2015: Reading configuration from
>>> /etc/sec/missing-logs
>>> Wed Jul 15 11:14:35 2015: Opening input file -
>>> Wed Jul 15 11:14:35 2015: Creating SEC internal context
>>> 'SEC_INTERNAL_EVENT'
>>> Wed Jul 15 11:14:35 2015: Creating SEC internal event 'SEC_STARTUP'
>>> Wed Jul 15 11:14:35 2015: Deleting SEC internal context
>>> 'SEC_INTERNAL_EVENT'
>>> Wed Jul 15 11:15:01 2015: SIGUSR2 received: closing outputs and
>>> restarting
>>> logging
>>> Wed Jul 15 11:15:01 2015: Creating SEC internal context
>>> 'SEC_INTERNAL_EVENT'
>>> Wed Jul 15 11:15:01 2015: Creating SEC internal event 'SEC_LOGROTATE'
>>> Wed Jul 15 11:15:01 2015: Deleting SEC internal context
>>> 'SEC_INTERNAL_EVENT'
>>> Wed Jul 15 11:16:02 2015: SIGUSR2 received: closing outputs and
>>> restarting
>>> logging
>>> Wed Jul 15 11:16:02 2015: Creating SEC internal context
>>> 'SEC_INTERNAL_EVENT'
>>> Wed Jul 15 11:16:02 2015: Creating SEC internal event 'SEC_LOGROTATE'
>>> Wed Jul 15 11:16:02 2015: Deleting SEC internal context
>>> 'SEC_INTERNAL_EVENT'
>>>
>>> what can I do to try and get more info from sec about what it's seeing
>>> happen?
>>>
>>> This was happening every few weeks, but today it's happening much more
>>> frequently (twice in a minute in the sample logs above)
>>>
>>> David Lang
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Don't Limit Your Business. Reach for the Cloud.
>>> GigeNET's Cloud Solutions provide you with the tools and support that
>>> you need to offload your IT needs and focus on growing your business.
>>> Configured For All Businesses. Start Your Cloud Today.
>>> https://www.gigenetcloud.com/
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> Simple-evcorr-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>>
>>
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
