hi Agustin, if you want to reset the entire state of SEC (not just event correlation operations, but also contexts, action list variables and other data), you can use 'sigemul HUP' action. This action will emulate the reception of the HUP signal which is used to reset all internal state of SEC.
However, if you want to reset only the event correlation operations for one or more rule files, you can use the following trick -- run an external script (for example, with 'shellcmd' action) that uses 'touch' utility for updating the timestamps of these rule files (for example, touch -c /etc/sec/myrules*.sec), and then sends the ABRT signal to SEC process (for example, kill -ABRT `cat /run/sec.pid`). The ABRT signal forces SEC to reset event correlation operations for all rule files with updated modification timestamps, and also forces SEC to reload rules from these rule files. kind regards, risto Hi Risto, My name is Agustín, > > Is it possible to reset all the rules when an event is received? > > Kind regards, > Agustín > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
