hi, can you give a more precise problem description -- is the problem related to the 'write' action which is not producing a file with the expected date timestamp after each midnight? When you are introducing a new file name to the 'write' action, it always creates a new file. In other words, having an action
write /var/log/test-%date mystring always creates separate files for different dates, provided that you change %date variable at each midnight. If you forget about changing %date at 00:00:00, you would have one file which us used for all 'write' actions. Also, the SEC dump file is *not* used to pass state across restarts, but it is rather intended to be a debugging measure. This file is never used to initialize data structures at startup, but serves as a human readable description of the current event correlation state. kind regards, risto On 07/09/2013 04:37 AM, Orangepeel Beef wrote: > I'm using date based file output in SEC and rsyslog to feed it, but I > noticed SEC was not changing to the new date file. > > So, I setup logrotate to restart rsyslog, and set SEC 2.7.4 to --notail > and now the files are being logged properly in the appropriate day > (after the logrotate runs ) > > But, I like to use an internal context to do a syslog heartbeat so to > speak, and since i'm now restarting nightly this is really not that useful. > > > #set up syslog heartbeat > type=single > ptype=regexp > pattern=^\d+-\d+-\S+\s(\S+)\s+ > continue=takenext > desc=[SEC-W] Have not received syslogs from $1 in 12 Hours > action=create HEARTBEAT_$1 43200 (shellcmd echo $0 | > /usr/local/sbin/sec_mail.pl <http://sec_mail.pl> '%s' '%e' ) > > I do set the SEC dumpfile, but i'm not sure that its maintaining this > state as SEC restarts. > > > > /usr/local/sbin/sec --conf=/usr/local/etc/sec/$CONF > --pid=/tmp/sec-$CONF.pid --dump=/tmp/sec-$CONF.dump --debug=5 > --syslog=local1 --intevents --input=- --notail > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
