In message <[email protected]>,
Joe Prosser writes:
>Is there any way to write the state information to a file so that it
>could be read in on a restart?
Well a soft restart signal (SIGABRT, SIGIOT) will reload the config
files without shutting down. It will reset any correlations operations
that were started from a rule in a changed config file, but it
preserves contexts and correlations started from unchanged config
files.
If you want to dump all the contexts to a file and reload them you can
try using the SEC_SHUTDOWN event to trigger:
A SingleWithScript command (that receives all the current contexts on
stdin) that saves the context names to a context_file.
A spawn action that uses sed to generate events
sed 's/^/DUMPCONTEXT /' context_file
A single rule that reports every context in the 'DUMPCONTEXT
<context>' to a file.
All these rules except the last would use cont=takenext so they are
all triggerered by the same (and only) SEC_SHUTDOWN event.
Then a rule that uses spawn and sed to read the dumped context files
into SEC. This won't preserve any timing contraints or context
termination actions.
Another oprions is to set up a ruleset to replay initial data to prime
the correlation engine rather than saving and restoring state.
At http://www.cs.umb.edu/~rouilj/sec/rulesets/10timestamp.sr is a
ruleset that handles a heartbeat event from system. As it handles a
host that it has never seen before, it adds it to the file that primes
the cache. When SEC is started, a spawn action is run that replays the
events into SEC as though they were just received.
Lastly if you are looking to preserve everything, I can only suggest
using Data::Dumper to save the internal data structures to a file (or
files) when the SEC_SHUTDOWN event is received (using a call to a perl
program in your action). Then load those files when SEC starts up. I
am not sure how well that will work (e.g. some contexts may never be
expired) but is the only way I can think of to save all the state of a
running SEC.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
This SF.net email is sponsored by:
High Quality Requirements in a Collaborative Environment.
Download a free trial of Rational Requirements Composer Now!
http://p.sf.net/sfu/www-ibm-com
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
