Hello,
I am trying to learn using SEC and I have encountered the following problem:
I am monitoring a text file with the following simplified rule:
type=Single
ptype=RegExp
pattern=foo\s+(\S+)
desc=$0
action=logonly
Everytime the file is updated, SEC processes it from the start, firing rules
that were already fired before. For example, when I am monitoring a file
that track users logins, everytime a new user logs in, SEC processes the
entire files, executing actions for every login entry. Even for those whose
action has already been executed before.
I would like to know if it is possible to make SEC fire rules only for new
events.
Thanks for the help.
------------------------------------------------------------------------------
Magic Quadrant for Content-Aware Data Loss Prevention
Research study explores the data loss prevention market. Includes in-depth
analysis on the changes within the DLP market, and the criteria used to
evaluate the strengths and weaknesses of these DLP solutions.
http://www.accelacomm.com/jaw/sfnl/114/51385063/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
