-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gabriele,
as you can see in the sec logfile, it seems that your variables are not getting expanded.... if your rule looks like this: type=Single ptype=RegExp pattern=(?:error|warning) desc=$0 action=pipe '%s' /usr/bin/mail -s 'error detected' [email protected] start sec.pl with this rule and an i.e. input=mylog.log then do echo "this is an error on my system" >> mylog.log and you will see in sec logfile Thu Feb 12 20:43:34 2009: Feeding event 'this is an error on my system' to shell command '/usr/bin/mail -s 'error detected' [email protected]' Thu Feb 12 20:43:34 2009: Child 25637 created for command '/usr/bin/mail - -s 'error detected' [email protected]' and an e-mail will arrive... hope it helps, tom Gabriele Giorelli wrote: > Thank you Risto. > > I adjusted the config file and it works fine. > > however, the action (which is to send me an email with the entry that has the > pattern) is not performed. The action is: > > action=pipe '%0' /usr/bin/mailx -s '[SEC] $s' [email protected] > > in the log: > > Feeding event '%0' to shell command '/usr/bin/mailx -s '[SEC] $s' > [email protected]' > > What am I missing? > > thanks > > > --- On Thu, 2/12/09, Risto Vaarandi <[email protected]> wrote: > >> From: Risto Vaarandi <[email protected]> >> Subject: Re: [Simple-evcorr-users] installation and configuration guide >> To: [email protected] >> Cc: [email protected] >> Date: Thursday, February 12, 2009, 10:37 AM >> Gabriele Giorelli wrote: >>> Hi, >>> >>> To start sec, I need to start it in background it >> seems, right? >>> /etc/rc3.d/S98sec start >>> >>> Starting up Syslog Event Correlator: SEC (Simple Event >> Correlator) 2.5.0 >>> Changing working directory to / >>> Reading configuration from >> /usr/local/etc/sec/sec.rules >>> SEC (Simple Event Correlator) 2.5.0 >>> >>> ^Z >>> [1]+ Stopped /etc/rc3.d/S98sec start >>> >> Hmmm, with the startup file and startup options you have, >> SEC should go into background automatically (have you >> preserved the -detach option in the >> /usr/local/etc/sec/sec.start file?). >> It actually goes to background in your case -- there is a >> message "Changing working directory to /" in its >> output which is logged only if SEC switches to daemon mode. >> >>> Also, sec.rules looks now >>> >>> type=Single >>> ptype=RegExp >>> pattern=error >>> desc=$0 >>> action=pipe '%s' /usr/bin/mail -s 'error >> detected' [email protected] >>> Here I assumes that whenever syslog has error (case >> not sensitive) entry, sec will send me an email. Correct? >>> >>> And when I have more than 1 pattern, can I put then in >> a single pattern entry? >>> e.g. >>> pattern=error,warning >> Well, not with using the comma! >> >> SEC accepts a wide variety of things as patterns, but >> regular expression patters (pattern type 'RegExp') >> are perhaps most commonly used. If you have had only limited >> experience with regular expressions, type the following >> command >> >> perldoc perlretut >> >> which should give you a good overview of the Perl regular >> expression dialect. >> >> However, in order to provide you a short answer, you might >> want to use the following regular expression pattern: >> >> (?:error|warning) >> >> This captures both "error" and >> "warning" strings without assigning them to a >> special variable. >> >>> Finally, I can specify the file that I can apply SEC >> to it in sec.start: >>> -input=/any/file.log >>> >>> Correct? >> exactly, use the -input option for that. >> >> hth, >> risto >> >>> thank you >>> >>> > > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJlH24TCCRT+dccOYRAqFWAKD0A2mxssdy2Q/SA4aSvhRO6pLN2wCgrlvH xZ1t0we1vb9Eh7ZPZiEQcBk= =MciR -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
