hi Jaren,
if you want to establish the number of input files that are currently
open, you would have to check the number of entries in the %inputsrc
hash table within the sec code space. Here is an example which
illustrates how to do that:
type=Calendar
time=* * * * *
desc=report the number of open input files
action=lcall %n -> ( sub { scalar(grep { $main::inputsrc{$_}->{"open"} } \
keys %main::inputsrc) } ); \
logonly %n input file(s) are open
The above Calendar rule will find the number of open input files once
a minute, and report this number to sec's own log.
However, if you have trouble with opening specific input files and
want to produce notifications with their names, I think it is best to
monitor sec's own log (possibly with another sec instance), in order
to detect relevant error messages from sec's own log. Furthermore, if
you can't open input files because they have not been created yet when
sec starts, I think the best solution is to use the --reopen-timeout
command line option. For example, with --reopen-timeout=5, sec will
check input files that are not open after each 5 seconds, and will
attempt to open them. If the open succeeds for some file and the file
was newly created, sec will process all lines in the input file and
will then switch to the usual tail mode. If the open fails, sec will
attempt to open the file again after 5 seconds.
Hope this helps,
risto
2016-09-09 9:50 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
> Hi Risto,
>
> Sorry for answering late. I was on holidays.
> I want to precalculate how many files is going to open sec and compare with
> a number of files that we think that sec should open and validate the input
> paths because sometimes sec with strawberry perl doesn´t load all paths.
>
> Thank you!.Regards.
>
> 2016-08-28 11:39 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>
>> hi Jaren,
>> I noticed that sec has been started with the --notail and --fromstart
>> options. This means that sec reads the input file from the beginning to the
>> end, and when EOF is observed, it will exit. Therefore, given these command
>> line options, sec can never reach the state "input file is open, and no new
>> data has been observed in this file for N seconds". The --input-timeout and
>> --timeout-script options only make sense in the --tail mode when you are
>> tracking input files in real time for the appearance of new data. What are
>> you actually trying to accomplish -- is your intention to scan already
>> existing log files which are known to be complete and do not change during
>> the processing?
>> kind regards,
>> risto
>>
>> 2016-08-25 16:16 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>>
>>> Hi,
>>>
>>> Sorry for the typo i haven´t realised that it didn´t copy the last line.
>>>
>>> I was trying to achive the goal and i don´t know why are not working.
>>>
>>>
>>> First idea:
>>>
>>> perl C:\sec -intevents -fromstart -notail -conf=C:\event.conf
>>> -input=C:\log.log -input-timeout=60 -timeout-script=C:\line.bat -log=Log.log
>>>
>>> Output:
>>> The script executes as normal but the problem it doesn´t maintain till
>>> 60sg and dont execute .bat script. Also i tried with a perl script and
>>> haven´t executed.
>>> i tested with rules that are working and we had the same result.
>>>
>>>
>>> Second idea:
>>>
>>>
>>> General input for all the rules:
>>> _____________________________________________________________________
>>> Mon Aug 8 14:54:42 2016: 2 rules loaded from C:\events.conf
>>> Wed Aug 24 06:59:01 2016: Opening input file C:\sec.log
>>> _____________________________________________________________________
>>>
>>>
>>> First option:
>>>
>>> type=EventGroup2
>>> ptype=RegExp
>>> pattern = .{25}\s(\d+)\srules\sloaded\sfrom\s(.*)
>>> count = create cHold 60
>>> thresh=1
>>> ptype2=RegExp
>>> pattern2=.{25}\sOpening\sinput\sfile\s(.*)
>>> thresh2=1
>>> context2=cHold
>>> window=60
>>> action =delete cHold;create cHold 60;
>>> end = write c:\alerts.log "Error in SEC files"
>>> desc=acumula
>>>
>>> Output:
>>> It executes the rules but dont wait till the context or rule finish. I
>>> also used "set" to modify the context and same result as before.
>>>
>>> Second option:
>>>
>>> type=suppress
>>> ptype=regexp
>>>
>>> pattern=(.*SEC_STARTUP.*|.*SEC_PRE_RESTART.*|.*SEC_RESTART.*|.*SEC_PRE_SOFTRESTART.*|.*SEC_SOFTRESTART
>>> .*|.*SEC_PRE_LOGROTATE.*|.*SEC_LOGROTATE.*|.*SEC_SHUTDOWN.*)
>>>
>>> type=single
>>> ptype=regexp
>>> continue =dontcont
>>> pattern=.{25}\s(\d+)\srules\sloaded\sfrom\s(.*)
>>> desc=acumula
>>> action=create cHold 60
>>>
>>>
>>> type=single
>>> ptype=regexp
>>> continue =dontcont
>>> pattern=.{25}\sOpening\sinput\sfile\s(.*)
>>> context=cHold
>>> desc=acumula
>>> action=delete cHold;create cHold 60
>>>
>>> type=single
>>> ptype=regexp
>>> pattern=.*
>>> context=!cHold
>>> desc=acumula
>>> action=write c:\alerts.log "Error loading files"
>>>
>>> Output:
>>> It executes the rules but dont wait till the context or rule finish. I
>>> also used "set" to modify the context and i had the same result as before.
>>>
>>> Third option:
>>>
>>> type=suppress
>>> ptype=regexp
>>>
>>> pattern=(.*SEC_STARTUP.*|.*SEC_PRE_RESTART.*|.*SEC_RESTART.*|.*SEC_PRE_SOFTRESTART.*|.*SEC_SOFTRESTART
>>> .*|.*SEC_PRE_LOGROTATE.*|.*SEC_LOGROTATE.*|.*SEC_SHUTDOWN.*)
>>>
>>> type=single
>>> ptype=regexp
>>> continue =dontcont
>>> pattern=.{25}\s(\d+)\srules\sloaded\sfrom\s(.*)
>>> desc=acumula
>>> action=create cHold 60
>>>
>>>
>>> type=single
>>> ptype=regexp
>>> continue =dontcont
>>> pattern=.{25}\sOpening\sinput\sfile\s(.*)
>>> context=cHold
>>> desc=acumula
>>> action=reset -1
>>>
>>> type=single
>>> ptype=regexp
>>> pattern=.*
>>> context=!cHold
>>> desc=acumula
>>> action=write c:\alerts.log "Error loading files"
>>>
>>> Output:
>>> It executes the rules but dont wait till the context or rule finish. I
>>> also used "set" to modify the context and i had the same result as before.
>>>
>>>
>>> I don´t know how to maintain the rule or context window alive till it
>>> finish and write and detect that is not writing. Also is it posible to know
>>> how many files is going to read when you use a "regex" as an input?
>>> example:-input=c:\*.log
>>> If you can calculate the number of files to being opened before you can
>>> calculate the thresh of the rule and stop when it is finish.
>>>
>>> Thanks for you help Risto!. Regards.
>>>
>>>
>>> 2016-08-23 12:47 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>>>
>>>>
>>>>
>>>> 2016-08-23 11:25 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I have tested on windows server 2008 + Strawberry perl and it is not
>>>>> working as expected because it doesn´t run script option.
>>>>
>>>>
>>>> These options should be supported on windows. How have you specified
>>>> them on command line and have you checked sec error log for relevant error
>>>> messages?
>>>>
>>>>>
>>>>>
>>>>> I tried the second option and i don´t know what´s happen but the rule
>>>>> doesn´t wait till the context dissapear and do the action in the "end"
>>>>> block
>>>>> code. Any ideas?
>>>>
>>>>
>>>>
>>>> The EventGroup2 rule you have specified lacks the 'desc' field and
>>>> produces the following error message in the sec log:
>>>>
>>>> Rule in test-eventgroup.conf at line 1: Keyword 'desc' missing (needed
>>>> for EVENTGROUP2 rule)
>>>>
>>>> Since the rule definition is invalid, it is not loaded by sec, and that
>>>> might be one of the reasons why the rule appears to be not working.
>>>>
>>>> Also, the contexts that are created in the rule definition do not
>>>> influence the lifetime of event correlation operations started by this
>>>> rule.
>>>> So if you create the context cHold in the EventGroup2 rule and adjust its
>>>> lifetime, the context cHold is a completely independent entity and does not
>>>> prolong the lifetime of the counting operation started by this rule. The
>>>> lifetime of the operation is fully determined by the occurrence times of
>>>> events that match the 'pattern' and 'pattern2' fields.
>>>>
>>>> regards,
>>>> risto
>>>>
>>>>>
>>>>>
>>>>> Rule:
>>>>> type=EventGroup2
>>>>> ptype=RegExp
>>>>> pattern = .*rules.*
>>>>> count = create cHold 60
>>>>> thresh=1
>>>>> ptype2=RegExp
>>>>> pattern2=.*Opening.*
>>>>> thresh2=1
>>>>> window=60
>>>>> action =set cHold 60;reset -1
>>>>> end = write c:\alerts.log "Error in SEC files"
>>>>>
>>>>> Thank you Risto!.Regards.
>>>>
>>>>
>>>
>>
>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
