Re: [Simple-evcorr-users] action=write and dynamic filename

Fri, 26 Mar 2010 19:30:05 -0700 

In message <[email protected]>,
Brian Landers writes:
>Bit new to SEC, so forgive the possible newbie question:  how would I go
>about doing something like the following (obviously not valid syntax)
>
>action=write /opt/logs/$YEAR-$MONTH-$DATE.log $0
>
>e.g. writing the log message to a date-stamped filename, preferably while
>not bogging down a heavily-loaded loghost.

You would probably need to use a perl expression to create the
filename and store it in a variable then use the variable.

Something like:

type=single
desc=dynamic write
ptype=regexp
pattern=.?
action=eval %w (use POSIX qw(strftime); \
            return strftime("/opt/logs/%Y-%m-%d.log",localtime());); \
       write %w $0;

Note that setting up a rule that fires when SEC starts up and does the
use POSIX command will probably be more efficient.

Also you could set up a cron rule that fires at midnight every day to
set the %w variable and then just use the write command in your
logging rule.  I would suggest doing that if you have multiple rules
writing to the same file.

A sample execution:

> /tools/sec/bin/sec -conf=test.sec -debug=6 -input=-
SEC (Simple Event Correlator) 2.5.2
Reading configuration from test.sec
1 rules loaded from test.sec
Stdin connected to terminal, SIGINT can't be used for changing the logging level
foo [<-- my input]
Evaluating code 'use POSIX qw(strftime); return 
strftime("/tmp/%Y-%m-%d.log",localtime());' and setting variable '%w'
Variable '%w' set to '/opt/logs/2010-03-26.log'
Writing event 'foo' to file /opt/logs/2010-03-26.log

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to