Hi Savakh, For scanning old log files, you can use the --notail command line option. However, sec does not parse timestamps of incoming events, but rather sets the event occurrence time from the local system clock (in other words, it assumes that occurrence time is the time of reception). Therefore, you can't replay more complex event correlation scenarios from the past, but can test simpler rules only (for example, verify if a Single rule matches an event and writes it to given output). Kind regards, risto
On Aug 5, 2016 5:01 PM, "Savakh S" <[email protected]> wrote: > I understood my mistake, this is because I worked with old static log > files instead of generating real time logs. > So Risto, is there a way to work with old log files ? > > Thank you for your help. > > BR > > 2016-08-05 10:54 GMT+02:00 Savakh S <[email protected]>: > >> Hi Risto, >> >> Thank you for your answer. I used your script but still nothing is >> written in the output file. >> I did a different test where I used the standard input instead of the >> --input=/var/log/my_log.log and the output file is well written. >> >> So I think that SEC doesn't read my input file. What do you think ? >> >> Best regards >> >> 2016-08-04 23:33 GMT+02:00 Risto Vaarandi <[email protected]>: >> >>> hi Savakh, >>> >>> I would recommend few small modifications to the rule. Firstly, the >>> regular expression given with the 'pattern' field does not need to be >>> enclosed in double quotes -- if you use them, they are treated as a part of >>> the regular expression itself. The same goes for the filename given in the >>> 'action' field -- any preceding or following double quote will be treated >>> as the part of the filename, which is probably not what you want. After >>> modifying the rule accordingly >>> >>> type=Single >>> ptype=RegExp >>> pattern=test >>> desc=detect test >>> action=write /var/log/test.log >>> >>> it will match any line that gets written to /var/log/my_log.log and >>> contains the string >>> test >>> and will write the string >>> detect test >>> to the file /var/log/test.log. >>> >>> kind regards, >>> risto >>> >>> 2016-08-04 16:38 GMT+03:00 Savakh S <[email protected]>: >>> >>>> Hello all, >>>> >>>> When I run SEC nothing seems happening : >>>> >>>> # sec --conf=my_file.conf --input=/var/log/my_log.log >>>> Reading configuration from my_file.conf >>>> 1 rules loaded from my_file.conf >>>> Opening input file /var/log/my_log.log >>>> Interactive process, SIGINT can't be used for changing the logging level >>>> >>>> >>>> The content of my_file.conf : >>>> type=Single >>>> ptype=RegExp >>>> pattern= "test" >>>> desc=detect test >>>> action=write "/var/log/test.log" >>>> >>>> Anybody can help me ? >>>> >>>> Thanks a lot. >>>> >>>> >>>> ------------------------------------------------------------ >>>> ------------------ >>>> >>>> _______________________________________________ >>>> Simple-evcorr-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >>>> >>>> >>> >> >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
