On 10/24/2009 01:17 AM, Ronald San Juan wrote: > Hi, > I am using SEC v2.5. The problem I have is SEC doesn't seem to read on > lines with over 1024 characters in length. I found out that it is using > sysread() which has limitations to 1024 characters.
Although by default SEC reads by 1KB blocks from files, it will *not* prevent SEC from processing lines which are longer than 1KB. Note that each 1KB block is stored to an intermediate buffer, and if the buffer does not contain a newline, another block will be read and added to the end of the buffer. SEC will fetch a line from the buffer only after the newline character has been observed, and all bytes up to the newline will make up the line. > Scenario:The logfile has lines reaching 1600 characters in length. > rule: > type=singlewiththreshold > ptype=regexp > pattern=(routing.jsp_servlet._dialogs) > desc=$0 > action=write - $0 > window=10 > thresh=10 > result: > When thresh is set to 10, the rule is loaded but I do not get any > result. The threshold is definitely being met as the pattern occurs at > least 10 times per second. When I set the thresh to 1, I get the > results. Basically, setting the thresh to any number greater than one > does not trigger the alarm. > I'm thinking beacause of the limitation of sysread to 1024 characters, > SEC is unable to process multiple lines in a singlewiththreshold window. > I tried the same rule to a similar file whose characters per line does > not exceed 1024 and it works fine. > Is there a way to bypass this without having to split the lines? Is > there a function I can use to replace sysread(1024)? > Any help will do. Thanks in advance. The problem you have is caused by incorrectly defined 'desc' parameter, see also the relevant section in the SEC man page: http://simple-evcorr.sourceforge.net/sec.pl.html#lbAV In the case you would like to increase read block size for SEC, use the -blocksize command line option. HTH, risto > Regards, > **** > **Ronald ** > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > > > > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
