Hello! I'm relatively new to SEC, and only recently started using it to monitor the state of security for Linux systems by processing logs.
However, several of my rules require "transaction"-like procedures where I use SEC context to maintain state information and when a transaction is complete, I commit a set of changes. This has raised two issues, and although I think I have some ideas of how to solve them, I wanted to reach out to more experienced users of SEC to see if there are better ideas than my own. The issues are: 1. maintaining state information if SEC execution is interrupted. I.e., if SEC gets shutdown and restarted, the SEC contexts are lost. My first thought is to use SEC_INTERNAL_EVENT and simply write the various states during SEC_SHUTDOWN to file, and read the state information during SEC_STARTUP. Is there a better way? Perhaps a built-in capability? Any examples of this type of thing anyone can share? 2. when SEC is shutdown and restarted, it appears to read from the end of the input log file. So, any new log entries during the period SEC was not running do not get processed. This is problematic since I may have a transaction in progress that is waiting for an event that was missed during the SEC shutdown/restart cycle. Is there a way to have SEC read the input log where it left off? And I guess, a following problem would be how to handle if the log file got rotated? Any ideas here? Thanks for any help... Bond ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
