Hi Stuart,
The reason you are not seeing sec debug-level messages in syslog files
might be the following -- these messages are logged with the syslog 'debug'
severity, but on many distributions such messages are not written to any
log file by default. For example, many Linux distributions log debug-level
messages only for 'mail' and few other facilities. Please have a look into
the configuration of your local syslog daemon and check how 'local0.debug'
priority is handled.
Also, you can write all sec messages into a separate non-syslog file if you
use the --log command line option.
Hope this helps,
risto
On Oct 24, 2016 10:18 PM, "Stuart Kendrick" <stua...@alleninstitute.org>
wrote:
> I have SEC running on one machine. Works great.
>
>
>
> Now I’m trying to persuade SEC to run on a second machine, and I’m having
> trouble. Seems to load just fine … but after ‘Reading configuration from
> …’, SEC doesn’t log any messages about “x rules loaded from …”.
>
> And, in fact, it isn’t acting on any of those rules (which it hasn’t read).
>
>
>
> Any tips to offer, for how to trouble-shooting the ‘reading / loading’
> phase? I have looked at debug level … but it seems to me that SEC runs by
> default at debug level 6, i.e. the highest level, and that’s what I’m
> doing. At any rate, adding “—debug=6” to the invocation line hasn’t
> resulted in any additional messages arriving in syslog.
>
>
>
>
>
> GOOD
>
> 2016-10-24T10:26:32.587371-07:00 guru sec[16710]: SEC (Simple Event
> Correlator) 2.7.10
>
> 2016-10-24T10:26:32.587570-07:00 guru sec[16710]: Reading configuration
> from /opt/local/etc/sec/cisco.conf
>
> 2016-10-24T10:26:32.588022-07:00 guru sec[16710]: 4 rules loaded from
> /opt/local/etc/sec/cisco.conf
>
> 2016-10-24T10:26:32.588140-07:00 guru sec[16710]: Reading configuration
> from /opt/local/etc/sec/isilon.conf
>
> 2016-10-24T10:26:32.588296-07:00 guru sec[16710]: 2 rules loaded from
> /opt/local/etc/sec/isilon.conf
>
> 2016-10-24T10:26:32.588405-07:00 guru sec[16710]: Reading configuration
> from /opt/local/etc/sec/toc.conf
>
> 2016-10-24T10:26:32.590144-07:00 guru sec[16710]: 27 rules loaded from
> /opt/local/etc/sec/toc.conf
>
> 2016-10-24T10:26:32.590294-07:00 guru sec[16710]: No --bufsize command
> line option or --bufsize=0, setting --bufsize to 1
>
>
>
> BAD
>
> Oct 24 10:38:37 pinda sec[25496]: SEC (Simple Event Correlator) 2.7.10
>
> Oct 24 10:38:37 pinda sec[25496]: Reading configuration from
> /opt/local/etc/sec/cisco.conf
>
> Oct 24 10:38:37 pinda sec[25496]: Reading configuration from
> /opt/local/etc/sec/isilon.conf
>
> Oct 24 10:38:37 pinda sec[25496]: Reading configuration from
> /opt/local/etc/sec/toc.conf
>
> Oct 24 10:38:37 pinda sec[25496]: Opening input file /var/log/syslog
>
>
>
>
>
>
>
> BOTH
>
> cat /etc/system/system/sec.service
>
>
>
> [Unit]
>
> Description=Simple Event Correlator
>
> AssertFileIsExecutable=/opt/local/script/sec
>
> AssertPathExistsGlob=/opt/local/etc/sec/*.conf
>
> After=syslog.target network.target
>
>
>
> [Service]
>
> Type=simple
>
> ExecStart=/opt/local/script/sec --conf=/opt/local/etc/sec/*.conf
> --input=/var/log/syslog --tail --syslog=local0 --nodetach
> --pid=/var/run/sec.pid --quoting
>
> ExecReload=/bin/kill -HUP $MAINPID
>
> User=root
>
>
>
> [Install]
>
> WantedBy=multi-user.target
>
>
>
> --sk
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
