Sorry for the typo, the rule should of course look like this:
type=Calendar
time=0 0 * * *
desc=Change date variables
action=eval %d ( strftime "%%Y-%%m-%%d", localtime ); \
assign %logfile /opt/log/remote-bytype/netscaler-%d.log; \
assign %unknown /opt/log/remote-bytype/netscaler-unknown-%d.log;
Now the action is executed at each midnight as it should (and not in
every minute).
kind regards,
risto
On 07/09/2013 12:35 PM, Risto Vaarandi wrote:
> hi,
> I would recommend to use the Calendar rule for changing date variables,
> since it is designed for such scenarios. In your case, you could try the
> following example:
>
> type=Calendar
> time=* * * * *
> desc=Change date variables
> action=eval %d ( strftime "%%Y-%%m-%%d", localtime ); \
> assign %logfile /opt/log/remote-bytype/netscaler-%d.log; \
> assign %unknown /opt/log/remote-bytype/netscaler-unknown-%d.log;
>
> Also, it is a bad idea to use the %u action list variable for a
> filename, since it is automatically set by SEC to the current unix
> timestamp. The other two predefined action list variables are %t and %s:
> http://simple-evcorr.sourceforge.net/man.html#lbAI
>
> hope this helps,
> risto
>
> On 07/09/2013 10:49 AM, Orangepeel Beef wrote:
>> I'm assigning the date variables on SEC startup which makes sense as to
>> why it doesn't get reset.
>>
>> so now i guess if i can think of another way to detect date change, then
>> reinitialize the variables it should work without restarting sec?
>>
>> type=single
>> desc=Set log file and addressee list
>> ptype=substr
>> pattern=SEC_STARTUP
>> context=SEC_INTERNAL_EVENT
>> action= eval %r (use POSIX qw(strftime);); \
>> eval %d ( $date = strftime "%%Y-%%m-%%d", localtime; return
>> $date;); \
>> assign %f /opt/log/remote-bytype/netscaler-%d.log; \
>> assign %u /opt/log/remote-bytype/netscaler-unknown-%d.log;
>>
>>
>> maybe set a context on startup for the syslog date stamp and reinit the
>> files once the context doesn't match?
>>
>> Thanks for the other document link, i'll review that data.
>>
>>
>>
>> On Tue, Jul 9, 2013 at 12:19 AM, Risto Vaarandi<[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> hi,
>>
>> can you give a more precise problem description -- is the problem
>> related to the 'write' action which is not producing a file with the
>> expected date timestamp after each midnight? When you are introducing a
>> new file name to the 'write' action, it always creates a new file. In
>> other words, having an action
>>
>> write /var/log/test-%date mystring
>>
>> always creates separate files for different dates, provided that you
>> change %date variable at each midnight. If you forget about changing
>> %date at 00:00:00, you would have one file which us used for all 'write'
>> actions.
>>
>> Also, the SEC dump file is *not* used to pass state across restarts, but
>> it is rather intended to be a debugging measure. This file is never used
>> to initialize data structures at startup, but serves as a human readable
>> description of the current event correlation state.
>>
>> kind regards,
>> risto
>>
>> On 07/09/2013 04:37 AM, Orangepeel Beef wrote:
>> > I'm using date based file output in SEC and rsyslog to feed it, but
>> I
>> > noticed SEC was not changing to the new date file.
>> >
>> > So, I setup logrotate to restart rsyslog, and set SEC 2.7.4 to
>> --notail
>> > and now the files are being logged properly in the appropriate day
>> > (after the logrotate runs )
>> >
>> > But, I like to use an internal context to do a syslog heartbeat so
>> to
>> > speak, and since i'm now restarting nightly this is really not
>> that useful.
>> >
>> >
>> > #set up syslog heartbeat
>> > type=single
>> > ptype=regexp
>> > pattern=^\d+-\d+-\S+\s(\S+)\s+
>> > continue=takenext
>> > desc=[SEC-W] Have not received syslogs from $1 in 12 Hours
>> > action=create HEARTBEAT_$1 43200 (shellcmd echo $0 |
>> > /usr/local/sbin/sec_mail.pl<http://sec_mail.pl>
>> <http://sec_mail.pl> '%s' '%e' )
>> >
>> > I do set the SEC dumpfile, but i'm not sure that its maintaining
>> this
>> > state as SEC restarts.
>> >
>> >
>> >
>> > /usr/local/sbin/sec --conf=/usr/local/etc/sec/$CONF
>> > --pid=/tmp/sec-$CONF.pid --dump=/tmp/sec-$CONF.dump --debug=5
>> > --syslog=local1 --intevents --input=- --notail
>> >
>> >
>> >
>> >
>>
>> ------------------------------------------------------------------------------
>> > See everything from the browser to the database with AppDynamics
>> > Get end-to-end visibility with application monitoring from
>> AppDynamics
>> > Isolate bottlenecks and diagnose root cause in seconds.
>> > Start your free trial of AppDynamics Pro today!
>> >
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>>
>> <http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk>
>> >
>> >
>> >
>> > _______________________________________________
>> > Simple-evcorr-users mailing list
>> > [email protected]
>> <mailto:[email protected]>
>> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>>
>>
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>>
>> <http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk>
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> [email protected]
>> <mailto:[email protected]>
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
