Hi all,
I'm quite new to SEC and was tasked to replace our home-grown log
files analysis tool with it. The setup isn't real time monitoring but
rather going over a log file of a certain size and spitting out a
report. So far the results look quite promising bit there are two last
crinkles to iron out.
1) Counters/Quotes
One of the requested features is that the SEC setup would count
repeated log messages and -after parsing the file- reports the total
amount of times it occured.
An example is something like this:
SEC COUNTER: machine.domain oracle core dumped: 11
I managed to get this somewhat working by doing the following:
---
type=single
desc=start counting $0
ptype=regexp
continue=takenext
pattern=^(\w+\s+\d+\s+\d+:\d+:\d+) (.+)
action=eval %c ( $counters{'$2'}++ )
type=singlewithsuppress
desc=$2
ptype=regexp
pattern=(\w+\s+\d+\s+\d+:\d+:\d+) (.+)
action=write logfile: $1 $2
window=86400
type=single
desc=shutdown
ptype=substr
pattern=SEC_SHUTDOWN
context=SEC_INTERNAL_EVENT
action=eval %display_counters ( @output = "" ; sub { \
foreach my $k ( sort keys %counters ) { \
if ( $counters{$k} > 10 ) { \
push(@output, "SEC COUNTER: $k: $counters{$k}") \
} \
} \
return @output; \
} ); call %res %display_counters ; write logfile %res
--
As you can see, it isn't the most elegant of solutions. Also the
eval() action in the "start counting" rule breaks whenever the log
message contains a single quote.
So I was wondering if someone would know or could suggest a more
elegant solution for either counting the total mount of events or
escaping single and double quotes in variables when using them in
eval().
The goal is to keep a count of repeating messages and whenever there
are more than 10 occurences it prints out a message. The
SingleWithThreshold type (with a large enough window) would only
partially help but I'd also need to display a total count of any
message repeating.
2) dumping statistics
I'd like to dump statistics after it has processed the file so I can
review the order of my rules; I tried something like this:
type=Single
ptype=RegExp
pattern=EOF\s*$
desc=$0
action=eval %k ( $pid=$$$; kill (USR1, $pid); kill(TERM, $pid));
(source: http://sixshooter.v6.thrupoint.net/SEC-examples/article-part2.html)
which doesn't work in my experience. Does anyone have a suggestion how
to generate this?
Kind regards,
Gregory
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
