hi Jaren,
if you would like to track individual input files for lack of new data in a
given timeframe, you could take advantage of --input-timeout and
--timeout-script command line options. These command line options work as
follows -- if no new data has been seen in an input file during the number
of seconds given with the --input-timeout option, the shell script given
with the --timeout-script option is executed. When the shell script is
executed, its first command line parameter is 1 (denotes lack of data) and
the second parameter is the name of the input file. When new data is
observed again in this input file, the script is executed with command line
parameters 0 (denotes new data) and the name of the input file.
For example, suppose sec is executed with the following command line:
sec --input=/var/log/messages --input-timeout=60
--timeout-script="/bin/echo"
If no bytes appear in /var/log/messages during 60 seconds, sec will execute
the following command line:
/bin/echo 1 /var/log/messages
If this command line has been executed in the past and a new line will
appear in /var/log/messages, sec will execute the command line
/bin/echo 0 /var/log/messages
Instead of /bin/echo that I've used in the above example, you would need to
write your own script which would issue an alert if the first command line
parameter is 1, and "error clear" message if it is 0.
Note that there are also other ways for detecting the lack of input data.
For example, you could update the lifetime of a context when an input line
appears, and have the action-on-expire of this context to send you an alert
(the expiration of the context means that you haven't seen input lines for
N seconds, where N is the lifetime of the context).
Hope this helps,
risto
2016-08-19 10:39 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
> Hi,
>
> I want to design a rule to detect that sec could not open log files.
>
> Firstly, i have to check that rules have been loaded to sec. I do
> detecting the string "rules loaded from" in the sec log file.
> Secondly i have to detect that on sec log file no new log row is detected
> or it has written an error on the log file.
> I want to check that no input data sec has received in a minute. If in
> that minute no data input was found write an alert or the error was
> written, generate an alert.
> The doubt is how can i check input sources on sec?Sec is waiting for more
> logs or is reading.
>
> I use Sec 2.6.2 with Windows.
>
>
> The following code is my alert structure:
>
>
> File1.conf
> ____________________________________________________________
> __________________
>
> type = Jump
> ptype = RegExp
> desc = $0
> continue = Takenext
> pattern = (.*)
> varmap = sal;log=0;
> cfset = sal
>
> ____________________________________________________________
> ____________________
> File2.conf
> ____________________________________________________________
> ____________________
> type = Options
> joincfset = sal
> procallin = no
>
> type = Jump
> ptype = Cached
> continue = TakeNext
> context = ($+{log} ->(sub{index($_[0],"No valid rules found in
> configuration file")!=-1;}))||($+{log}
> ->(sub{index($_[0],"Unmatched")!=-1;}))||($+{log}
> ->(sub{index($_[0],"Error evaluating code")!=-1;}))||($+{log}
> ->(sub{index($_[0],"Can't jump to fileset")!=-1;}))||($+{log}
> ->(sub{index($_[0],"Invalid context specification")!=-1;}))
> pattern = sal
> cfset = sal-Alerta
>
> type = Jump
> ptype = Cached
> continue = TakeNext
> context = ($+{log} ->(sub{index($_[0],"rules loaded
> from")!=-1;}))||($+{log} ->(sub{index($_[0],"Opening input file")!=-1;}))
> pattern = sal
> cfset = sal-Alerta
>
> ____________________________________________________________
> ____________________
> File4.conf
> ____________________________________________________________
> ____________________
>
> type = Options
> joincfset = sal-Alerta
> procallin = no
>
>
> type=EventGroup2
> ptype=Cached
> pattern=sal
> context=($+{log} ->(sub{index($_[0],"rules loaded from")!=-1;print
> "Check1!!!!!!!!";}))
> action=none
> thresh=1
> pattern2=sal
> ptype2=Cached
> context2=($+{log} ->(sub{index($_[0],"Opening input file");print
> "Check2!!!!!!!!";}))
> thresh=1
> window=60
> desc=Fichero_$+{inputsrc}
> action = write C:\alert.log "No file reading";
>
>
> Thank you for your help Risto!.Regards.
>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
