I have rsyslog starting sec with lines like: action(type="omprog" name="sec-heartbeat" binary="/usr/bin/sec --conf=/etc/sec/missing-logs --intevents --intcontexts --dump=/tmp/dumpfile.missing-logs --debug=5 --log=/var/log/sec-missing-logs --input -" template="manual" hup.signal="USR2")
I'm running into a problem where sec is 'lost' by rsyslog. Rsyslog starts a new copy, but the instance of sec continues to run (and causes alerts based on the lack of new input) the log at debug level 5 shows things like: Wed Jul 15 11:14:01 2015: SIGUSR2 received: closing outputs and restarting logging Wed Jul 15 11:14:01 2015: Creating SEC internal context 'SEC_INTERNAL_EVENT' Wed Jul 15 11:14:01 2015: Creating SEC internal event 'SEC_LOGROTATE' Wed Jul 15 11:14:01 2015: Deleting SEC internal context 'SEC_INTERNAL_EVENT' Wed Jul 15 11:14:27 2015: SEC (Simple Event Correlator) 2.7.5 Wed Jul 15 11:14:27 2015: Reading configuration from /etc/sec/missing-logs Wed Jul 15 11:14:27 2015: Opening input file - Wed Jul 15 11:14:27 2015: Creating SEC internal context 'SEC_INTERNAL_EVENT' Wed Jul 15 11:14:27 2015: Creating SEC internal event 'SEC_STARTUP' Wed Jul 15 11:14:27 2015: Deleting SEC internal context 'SEC_INTERNAL_EVENT' Wed Jul 15 11:14:35 2015: SEC (Simple Event Correlator) 2.7.5 Wed Jul 15 11:14:35 2015: Reading configuration from /etc/sec/missing-logs Wed Jul 15 11:14:35 2015: Opening input file - Wed Jul 15 11:14:35 2015: Creating SEC internal context 'SEC_INTERNAL_EVENT' Wed Jul 15 11:14:35 2015: Creating SEC internal event 'SEC_STARTUP' Wed Jul 15 11:14:35 2015: Deleting SEC internal context 'SEC_INTERNAL_EVENT' Wed Jul 15 11:15:01 2015: SIGUSR2 received: closing outputs and restarting logging Wed Jul 15 11:15:01 2015: Creating SEC internal context 'SEC_INTERNAL_EVENT' Wed Jul 15 11:15:01 2015: Creating SEC internal event 'SEC_LOGROTATE' Wed Jul 15 11:15:01 2015: Deleting SEC internal context 'SEC_INTERNAL_EVENT' Wed Jul 15 11:16:02 2015: SIGUSR2 received: closing outputs and restarting logging Wed Jul 15 11:16:02 2015: Creating SEC internal context 'SEC_INTERNAL_EVENT' Wed Jul 15 11:16:02 2015: Creating SEC internal event 'SEC_LOGROTATE' Wed Jul 15 11:16:02 2015: Deleting SEC internal context 'SEC_INTERNAL_EVENT' what can I do to try and get more info from sec about what it's seeing happen? This was happening every few weeks, but today it's happening much more frequently (twice in a minute in the sample logs above) David Lang ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
