2015-09-21 20:01 GMT+03:00 thin aung <thinza...@gmail.com>: > Hello, > > I would like to seek help with the following Rules I created. > Basically, I am trying to correlate pattern1 and pattern2 and write both > of them to the new log file when the event2 occurred after 10 secs of > event1. > > > When i tested the rule by feeding the sample log files thru keyboard input > and it is working as expected. > > But, the issue happened when i actually monitor log files (I've more than > 1 log to monitor and i used one SEC process to monitor them all - > --input=/logs/g*/system.log) >
...forgot to mention in my previous post that the wildcard pattern '/logs/g*/system.log' is only evaluated at sec startup and restarts. In other words, if a new input file is created while sec is running, it is not opened until sec receives the ABRT or HUP signal. Re-evaluating the file pattern before every read operation from input is expensive, and if the set of input files changes frequently, it is more efficient to direct relevant events into one input file for sec. regards, risto
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
