Oskar Hek wrote: > I'm trying to get sec working on my system whit some examples from the > manual. > a log file is scanned which is filled from tomcat. > > my configuration: > > type=SingleWithSuppress > ptype=RegExp > pattern=ohek > desc=$0 > action=eval %h (require Sys::Hostname;$host = Sys::Hostname->hostname()) > ;pipe 'test2 on %h!' /usr/bin/mailx -s 'test2 %h !' [mail adres] > window=5 > > but if a access a certain page the text 'aaaaaa' will appear twice in > the log file whit in 5 seconds. > it's executed twice and i get 2 emails in stead of one?? > > can anyone tell me what's wrong?
This is probably because you have set the 'desc' parameter to $0, which equals to the entire input line, including timestamps. However, the 'desc' parameter is used for setting the event correlation key which defines how events are correlated. I really recommend to have a look at the following man page section: http://simple-evcorr.sourceforge.net/sec.pl.html#lbAV This section explains how the 'desc' field influences the scope of event correlation. br, risto > greetings > Oskar > > > > ------------------------------------------------------------------------------ > Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA > -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise > -Strategies to boost innovation and cut costs with open source participation > -Receive a $600 discount off the registration fee with the source code: SFAD > http://p.sf.net/sfu/XcvMzF8H > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
