You probably mean if there is a way to force sec to terminate when it is
connected to syslog-ng over a memory-based pipe. This feature will be
available in the 2.7.4 version which will be released shortly (within a
week).
kind regards,
risto
2013/6/25 Orangepeel Beef <[email protected]>
> Any thoughts on the SEC processes not dying after syslog-ng restarts?
>
>
>
>
> On Tue, Jun 25, 2013 at 12:03 AM, Risto Vaarandi <[email protected]>wrote:
>
>> ...also, if you have more than one custom Perl formatting routine and
>> their number is likely to grow in the future, you could separate custom
>> code into a Perl module. When you have lot of code snippets to deal
>> with, having them in a module might increase readability for both SEC
>> rules and Perl code. SEC rule repository contains a relevant example:
>> http://simple-evcorr.sourceforge.net/rulesets/syslog-custom.sec
>>
>> kind regards,
>> risto
>>
>> On 06/25/2013 05:16 AM, Orangepeel Beef wrote:
>> > works a treat, thanks John
>> >
>> >
>> > On Mon, Jun 24, 2013 at 6:30 PM, John P. Rouillard <[email protected]
>> > <mailto:[email protected]>> wrote:
>> >
>> >
>> > In message
>> > <CAHkPr1EvbEF3LRZWhB7zyRTxVYBnQGWD=9yvvkhx99wupcj...@mail.gmail.com
>> > <mailto:[email protected]>> ,
>> > Orangepeel Beef writes:
>> > >Hi guys, i'm using syslog-ng with SEC using the program stream. I
>> > have 2
>> > >issues.
>> > >
>> > >1: Write to file w/ date in the name..
>> > >
>> > >trying to do something like this, but haven't gotten it working..
>> > >
>> > >type=single
>> > >desc=Set log file and addressee list
>> > >ptype=substr
>> > >pattern=SEC_STARTUP
>> > >context=SEC_INTERNAL_EVENT
>> > >action=eval %d ( $date = strftime "%Y-%m-%d", localtime;);\
>> > > assign %f /opt/log/remote-bytype/comware-%d.log;
>> > >
>> > >type=single
>> > >desc=Log messages to file
>> > >ptype=regexp
>> > >pattern=(.+)
>> > >action=write %f $1
>> > >
>> >
>> > Try:
>> >
>> > action= eval %r (use POSIX qw(strftime);); \
>> > eval %d ( $date = strftime "%%Y-%%m-%%d", localtime; return
>> > $date;); \
>> > assign %f /opt/log/remote-bytype/comware-%d.log;
>> >
>> > You need to load the POSIX lib so strftime was defined. Then the
>> > original %Y %m %d need to be escaped, they were being replaced by
>> > nothing.
>> >
>> > To test, put the rules (with my modified action) in the file called
>> > s.sr <http://s.sr> and run:
>> >
>> > sec -input - -conf s.sr <http://s.sr> -intevent
>> >
>> > and you will see:
>> >
>> > SEC (Simple Event Correlator) 2.7.2
>> > Reading configuration from s
>> > 2 rules loaded from s
>> > Opening input file -
>> > Stdin connected to terminal, SIGINT can't be used for changing
>> > the logging level
>> > Creating SEC internal context 'SEC_INTERNAL_EVENT'
>> > Creating SEC internal event 'SEC_STARTUP'
>> > Evaluating code 'use POSIX qw(strftime);' and setting variable
>> '%r'
>> > No value received for variable '%r', set to undef
>> > Evaluating code '$date = strftime "%Y-%m-%d", localtime; return
>> > $date;' and setting variable '%d'
>> > Variable '%d' set to '2013-06-24'
>> > Assigning '/opt/log/remote-bytype/comware-2013-06-24.log' to
>> > variable '%f'
>> > Deleting SEC internal context 'SEC_INTERNAL_EVENT'
>> >
>> > With your action I saw:
>> >
>> > Evaluating code '$date = strftime "--", localtime; return $date;'
>> > and setting variable '%d'
>> >
>> > note the missing %Y... as they got expanded/replaced. Then you see
>> > Perl errors like:
>> >
>> > Unquoted string "strftime" may clash with future reserved word at
>> > (eval 3) line 1
>> > Error evaluating code '$date = strftime "--", localtime; return
>> > $date;': syntax error at (eval 3) line 1, near "strftime "--""
>> >
>> > because of the missing 'use POSIX ...'. You can test your eval
>> actions
>> > by putting them in a perl script and trying to run it. If you had
>> put
>> > your actions in a file and run perl on the file they would have
>> failed
>> > in a similar manner but in a more easily debugged form.
>> >
>> > --
>> > -- rouilj
>> > John Rouillard
>> >
>> ===========================================================================
>> > My employers don't acknowledge my existence much less my opinions.
>> >
>> >
>> >
>> >
>> >
>> ------------------------------------------------------------------------------
>> > This SF.net email is sponsored by Windows:
>> >
>> > Build for Windows Store.
>> >
>> > http://p.sf.net/sfu/windows-dev2dev
>> >
>> >
>> >
>> > _______________________________________________
>> > Simple-evcorr-users mailing list
>> > [email protected]
>> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>>
>>
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
