> I have a service (freeradius w/jradius) that stops working one of two > ways - the first is that it dies cleanly with the log stating it's > shutting down jradius connections. This one is easy to catch with > SEC, obviously. The second way is that it just stops working, and > logging, even though the process is still running. The radius server > gets enough traffic that I should see something every minute in the > log, but I'd like to alert (via a script) when it hasn't logged > anything for a period of time. As I see it it's the opposite of what > SEC is designed for. Is this possible with SEC? > > I've searched the archives, but haven't found anything - though I > might be searching for the wrong terms. > > Thanks, > -Jeremiah > jeremiah,
Read John Rouillard's paper to the LISA2004 conference. Look for 'missing events'. John's example is with Sendmail, but it can be done with most any log. I implemented against DNS query transaction logs. Ref: "Real-time log file analysis using the Simple Event Correlator (SEC)" <http://www.cs.umb.edu/%7Erouilj/sec/> (http://www.cs.umb.edu/~rouilj/sec/) by John P. Rouillard - a paper with SEC ruleset examples that was presented at USENIX LISA'2004. My example below. Tim Peiffer Networking and Telecommunications Services University of Minnesota/NorthernLights GigaPOP # ----- detect missing events ----- # missing events (no events) indicates a service failure # When no activity within 5 minutes, declare down. # Ref: Lisa2004 paper by John Rouillard # Regular Syslog event: # Mar 30 19:35:24 myhost named[4834]: # Apr 1 05:35:01 myhost named-cron[30290]: named: my local ns1/ns2/ns3 1/1/1 msec sz 12024 rss 8556 sock ovfl 0 # Query Transaction event: # 01-Apr-2008 03:32:40.860 queries: info: client 192.168.255.14#57570: query: localhost IN A # # Rule 1: detect the event type=single ptype=RegExp pattern=(\S+.*) desc=DNS Name Service Up %Hostname - don't report as failed context = named_6_minute && ! named_6_minute_inhibit action=delete named_6_minute ; logonly - "delete named_6_minute due to expected traffic $1" # Rule 2: define the time window and prep to report missing events type=calendar desc=Start searching for named invocations every 5 minute time=0,5,10,15,20,25,30,35,40,45,50 * * * * context= ! named_6_minute action= create named_6_minute 70 write - "DNS Name Service Down , no traffic seen at %t" ; create named_6_minute_inhibit 55 ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
