hi Kevin,
although there is no command line option for limiting the number of
child processes, you can check their number from a context expression.
The info about all children is stored to SEC's internal %children hash
with PIDs acting as keys (you can access this hash by using the main::
prefix). Therefore,
scalar(keys(%main::children))
will tell you the number of child processes. For example, the following
fairly simple rule will start at most 3 child processes for the TEST event:
type=Single
ptype=SubStr
pattern=TEST
context= ->( sub { return (scalar(keys(%main::children)) < 3); } )
desc=sleep for 30 seconds
action=shellcmd sleep 30
Instead of the anonymous function and the ->( ) operator, you can also
write
=( scalar(keys(%main::children)) < 3 )
which is shorter, but less efficient, because the code is compiled
before *each* execution.
hope this helps,
risto
On 06/30/2011 01:19 PM, Kevin Stevenard wrote:
> Hello all,
>
> I would like to know if there is a way to limit the number of forked
> process (used by report or shellcmd calls) that run in parallel,
> indeed I know that logs that sec analyze for me can be huge and in
> some circumstances we can receive a lot of logs that will trigger a
> report command, and I think that in this kind of circumstances it can
> impact my server if the number of tasks running in parallel is too
> high.
> In this special case I dont want to make use of a window to reduce the
> number of triggered actions.
>
> Best Regards,
>
> Kevin,
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
