Wow! 20 years of SEC!
Superb lightweight tool suitable for many applications and excellent support
via this user group.
And each year SEC continues to evolve with new capabilities.
Thank you very much Risto!
And many thanks too for those that participate in this SEC user group across
the
ot;$1" Xmit Bytes="$2 Rcv
Bytes="$3"%{.nl}
If you go this route, then you'll need to further test. Since once again I
only tested with a minimal set of test data of my own concoction.
Regards,
Rock
From: MILLS, ROCKY
Sent: Thursday, October 03, 2019 6:50 PM
To: 'simple-evcor
Hi David,
Here's your same rule and same regular expressions using ptype=regexp instead
of using perlfunc:
type=pair
ptype=regexp
pattern=User <([^\s]+)>.+IP
<([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>.+IPv4 Address
<([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>
desc=Get Name - Global
If the bufsize=1 default occurs, upon loading its rules would SEC print a
warning or an error message for each rule that is using pattern types like
RegExp3, NRegExp2, and PerlFunc5? If so, then existing rules could be checked
in advance for any bufsize=1 issues by running SEC with --testonly
Hi Andrew,
You can use 'eval' action to reformat the $1 timestamp. Same perl code (except
you need %% for month_hash):
eval %time ( my $str = $1;\
my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','dec');\
my ($day,$mon,$date,$year,$time)
Hi Natalia,
I recently used these two rules to add a new daily input file (e.g.
/myappx/log/appx.log.20140820) by creating a link to the daily created log file:
type=Single
continue=dontcont
ptype=regexp
pattern=SEC_STARTUP
desc=$0
action=eval %logfileprefix (return /myappx/log/appx.log;); \
Hi John,
This reply is not related to your notes below but I am curious about how (and
why) you're using SEC with Nagios. Could you elaborate at a high level? I'm
not very familiar with Nagios but from my reading it contains a lot of
functionality. Doesn't Nagios support SEC-like
26, 2014 3:18 PM
To: simple-evcorr-users@lists.sourceforge.net
Subject: Re: [Simple-evcorr-users] Nagios and SEC
Hi Rocky:
In message
2490B3D57700AD4BA03D09581F3DDFC9014EF4EB@GAALPA1MSGUSR9K.ITServices
.sbc.com, MILLS, ROCKY writes:
This reply is not related to your notes below but I am curious
:27 AM
To: simple-evcorr-users@lists.sourceforge.net
Subject: Re: [Simple-evcorr-users] Input field within rule definition
On 04/05/2011 11:54 PM, MILLS, ROCKY (ATTSI) wrote:
For discussion only -- not an immediate need to be addressed.
~
Well, the 'input' field looks like a synonym
For discussion only -- not an immediate need to be addressed.
~
For some rule sets I've defined context per multiple files per the SEC
command line options. E.g. -input=/app/myapp/log/my.log=mylog. In this
way I can specify rules per specific files by simply using the defined
context such as
I vaguely recall that I have one or two multi-word contexts but it's not
a big deal to change to single-word contexts. At first I think I didn't
understand why those rules worked (since I didn't realize multi-word
contexts were supported), but it was apparent that the rule worked so I
think I
for the feedback.
Regards,
Rock
-Original Message-
From: Risto Vaarandi [mailto:rvaara...@yahoo.com]
Sent: Thursday, April 23, 2009 3:23 PM
To: simple-evcorr-users@lists.sourceforge.net; Mills, Rocky
Subject: Re: [Simple-evcorr-users] Logpp and SEC input sources
From: Mills, Rocky rx4
Risto, Anyone,
I was considering counting various string matches using SEC across
numerous (over potentially 20) logs simultaneously. There should be few
string matches, but when combined at peak times there could be perhaps
several thousand extraneous lines to parse per second. SEC may be able
Instead of adding values to a context you could save the values in a
perl hash formatting as you go along.
For example (not tested):
Rule action collecting IP per connection:
action=eval %ip_msg ($ldap_conn{$1} = from IP address $2; return
$ldap_conn{$1}; )
Rule action collecting
Jeroen,
Perhaps some simulation/analysis could be done without modifying SEC
internals but by changing how you input events into SEC and scaling back
the times you specified in your rules.
You could setup a reader-feeder program that reads your logs and feeds
SEC the events with delays/sleeps in
15 matches
Mail list logo