Hi, I used sec once successfully one time ago and I'm on to using it again to
watch a syslog and based on a pattern to spawn a (perl) script which does some
input checking and then calls an expect script to login to a device and take
some action. It is all working fine when I run it without --detach switch, but
I need it to run as a daemon. From what I can tell it seems like the first
piece of the expect script is called but then nothing seems to happen, like the
terminal (Stdin) can't see/send output/etc. I saw some posts about needed full
path to commands you are calling and those are there. But I wonder if there is
a better way to go about this than calling one script that calls another.
Works with running like:
/usr/bin/perl -w /usr/bin/sec.pl --conf=/etc/sec.conf --quoting
--input=/var/log/local3 --pid=/var/run/sec.pid --syslog=daemon
doesn't work with --detach:
sudo /usr/bin/perl -w /usr/bin/sec.pl --conf=/etc/sec.conf --quoting
--input=/var/log/local3 --pid=/var/run/sec.pid --detach --syslog=daemon
Here is my conf file:
more /etc/sec.conf
# Executing on arbor alert
type=Single
continue=TakeNext
ptype=RegExp
pattern=\s\d\d:\d\d:\d\d\s(.*)\spfsp:\sanomaly\sTotal_traffic_rate_Misuse\s+id\s+(\d+)\s+status\s+ongoing\s+severity\s+3\s+classification\s+medium\s+impact\
s+\".*\"\s+src\s+0\.0\.0\.0\/0\s+All\s+dst\s+(\d.\d.\d.*\/32)
desc=Arbor hostname $1 alertid $2 blackholeip $3
action=spawn exec /usr/bin/addarborpfBlackholeexp.pl $1 $2 $3 $0
# that seems to execute fine when I feed it a syslog to match on:
Feb 27 22:20:27 xops01 sec.pl[31534]: Spawning shell command 'exec
/usr/bin/addarborpfBlackholeexp.pl arborpfash01 43425 xxx.xxx.xx.xx/32 Feb 7
03:17:23 arborpfash01 pfsp: anomaly Total_traffic_rate_Misuse id 43425 status
ongoing severity 3 classification medium impact "5.40 Mbps/6.79 Kpps" src
0.0.0.0/0 All dst xxx.xxx.xx.xx/32 test_alerting_MO start 2013-02-07 03:06:04
+0000 duration 659 percent 107.960000 rate 5e+06 rateUnit bps protocol nil
flags nil url https://arbpfash01/page?id=alert_view&alert_id=43425'
but when that script calls out the expect script it starts at the first part to
try to ssh / login / but doesn't go anywhere.
<snip of addarborpfBlackholeexp.pl>
$arboroutput = qx(/usr/local/bin/expect -f /usr/bin/addarborpfBlackhole.exp
'$params->{'devusername'}' '$params->{'password'}' '$params->{'device'}'
'$params->{'name'}' '$params->{'ipversion'}' '$params->{'blackholeip'}'
'$params->{'nexthopip'}' '$params->{'community'}' '$params->{'router1'}'
'$params->
{'router2'}' '$params->{'prompt'}');
</snip>
# if I run without --detach it all works as expected.
Feb 27 22:18:54 xops01 sec.pl[31534]: SEC (Simple Event Correlator) 2.7.0
Feb 27 22:18:54 xops01 sec.pl[31534]: Reading configuration from /etc/sec.conf
Feb 27 22:18:54 xops01 sec.pl[31534]: Opening input file /var/log/local3
Feb 27 22:18:54 xops01 sec.pl[31534]: Stdin connected to terminal, SIGINT can't
be used for changing the logging level
Feb 27 22:19:03 xops01 sec.pl[31534]: Spawning shell command 'exec
/usr/bin/addarborpfBlackholeexp.pl arborpfash01 43425 xxx.xxx.xx.xx/32 Feb 7
03:17:23 arborpfash01 pfsp: anomaly Total_traffic_rate_Misuse id 43425 status
ongoing severity 3 classification medium impact "5.40 Mbps/6.79 Kpps" src
0.0.0.0/0 All dst xxx.xxx.xx.xx/32 test_alerting_MO start 2013-02-07 03:06:04
+0000 duration 659 percent 107.960000 rate 5e+06 rateUnit bps protocol nil
flags nil url https://arbpfash01/page?id=alert_view&alert_id=43425'
I turned up debug=6 and didn't provide me anything useful. Appreciate any
guidance / advice what could be going wrong and how to fix or if I should be
going about something like this another way.
Thanks------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
