hi,
I would recommend to use the Calendar rule for changing date variables,
since it is designed for such scenarios. In your case, you could try the
following example:
type=Calendar
time=* * * * *
desc=Change date variables
action=eval %d ( strftime "%%Y-%%m-%%d", localtime ); \
assign %logfile /opt/log/remote-bytype/netscaler-%d.log; \
assign %unknown /opt/log/remote-bytype/netscaler-unknown-%d.log;
Also, it is a bad idea to use the %u action list variable for a
filename, since it is automatically set by SEC to the current unix
timestamp. The other two predefined action list variables are %t and %s:
http://simple-evcorr.sourceforge.net/man.html#lbAI
hope this helps,
risto
On 07/09/2013 10:49 AM, Orangepeel Beef wrote:
> I'm assigning the date variables on SEC startup which makes sense as to
> why it doesn't get reset.
>
> so now i guess if i can think of another way to detect date change, then
> reinitialize the variables it should work without restarting sec?
>
> type=single
> desc=Set log file and addressee list
> ptype=substr
> pattern=SEC_STARTUP
> context=SEC_INTERNAL_EVENT
> action= eval %r (use POSIX qw(strftime);); \
> eval %d ( $date = strftime "%%Y-%%m-%%d", localtime; return
> $date;); \
> assign %f /opt/log/remote-bytype/netscaler-%d.log; \
> assign %u /opt/log/remote-bytype/netscaler-unknown-%d.log;
>
>
> maybe set a context on startup for the syslog date stamp and reinit the
> files once the context doesn't match?
>
> Thanks for the other document link, i'll review that data.
>
>
>
> On Tue, Jul 9, 2013 at 12:19 AM, Risto Vaarandi <[email protected]
> <mailto:[email protected]>> wrote:
>
> hi,
>
> can you give a more precise problem description -- is the problem
> related to the 'write' action which is not producing a file with the
> expected date timestamp after each midnight? When you are introducing a
> new file name to the 'write' action, it always creates a new file. In
> other words, having an action
>
> write /var/log/test-%date mystring
>
> always creates separate files for different dates, provided that you
> change %date variable at each midnight. If you forget about changing
> %date at 00:00:00, you would have one file which us used for all 'write'
> actions.
>
> Also, the SEC dump file is *not* used to pass state across restarts, but
> it is rather intended to be a debugging measure. This file is never used
> to initialize data structures at startup, but serves as a human readable
> description of the current event correlation state.
>
> kind regards,
> risto
>
> On 07/09/2013 04:37 AM, Orangepeel Beef wrote:
> > I'm using date based file output in SEC and rsyslog to feed it, but I
> > noticed SEC was not changing to the new date file.
> >
> > So, I setup logrotate to restart rsyslog, and set SEC 2.7.4 to
> --notail
> > and now the files are being logged properly in the appropriate day
> > (after the logrotate runs )
> >
> > But, I like to use an internal context to do a syslog heartbeat so to
> > speak, and since i'm now restarting nightly this is really not
> that useful.
> >
> >
> > #set up syslog heartbeat
> > type=single
> > ptype=regexp
> > pattern=^\d+-\d+-\S+\s(\S+)\s+
> > continue=takenext
> > desc=[SEC-W] Have not received syslogs from $1 in 12 Hours
> > action=create HEARTBEAT_$1 43200 (shellcmd echo $0 |
> > /usr/local/sbin/sec_mail.pl <http://sec_mail.pl>
> <http://sec_mail.pl> '%s' '%e' )
> >
> > I do set the SEC dumpfile, but i'm not sure that its maintaining this
> > state as SEC restarts.
> >
> >
> >
> > /usr/local/sbin/sec --conf=/usr/local/etc/sec/$CONF
> > --pid=/tmp/sec-$CONF.pid --dump=/tmp/sec-$CONF.dump --debug=5
> > --syslog=local1 --intevents --input=- --notail
> >
> >
> >
> >
>
> ------------------------------------------------------------------------------
> > See everything from the browser to the database with AppDynamics
> > Get end-to-end visibility with application monitoring from
> AppDynamics
> > Isolate bottlenecks and diagnose root cause in seconds.
> > Start your free trial of AppDynamics Pro today!
> >
>
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>
> <http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk>
> >
> >
> >
> > _______________________________________________
> > Simple-evcorr-users mailing list
> > [email protected]
> <mailto:[email protected]>
> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
>
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>
> <http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk>
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
