I'm about to implement an SEC rule that will be fairly critical to our business. It is a 'Pair' rule and at any time I may have multiple events that have matched pattern 1 and are waiting for pattern 2.
But I have a number of other use cases for SEC that I'm eager to implement. If at all possible I'd like to do this in a way that maintains the events waiting for pattern 2. Currently I have SEC installed in a docker container and when I modify or add a rule (which I keep in separate .sec files) I restart the docker. This runs a command: /usr/bin/perl -w /usr/local/bin/sec --log=/dev/stdout --debug=5 --input=/var/log/logzilla/sec.log --input=/var/log/logzilla/sec/*.log --conf=/etc/logzilla/sec/*.sec Will this lose the events that are waiting for pattern 2? If so is there an alternative way to add additional rules (or modify existing rules) that will keep those events? Thanks.
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
