hi Nitesh, is the problem caused by system log rotation which happens once a day? Is sec restarted during log rotation? This should not happen, since sec is able to handle rotation of its input files and switch over to new input file instance in a fully automated way. When sec's own log file needs to be rotated, this doesn't require restarting sec either, and the USR2 signal forces sec to create a new log file instance after rotation.
So if sec is restarted during log rotation, it is entirely unnecessary, and I would recommend to fix the log rotation configuration. Can you tell us on what platform you are running sec and which tool is used for log rotation tasks? Since you have /var/log/secure in the /var/log directory, I have a feeling it is Centos/RedHat/Fedora platform? kind regards, risto 2016-01-07 9:37 GMT+02:00 nitesh kumar <delhinitesh2...@gmail.com>: > Hey can you please provide some insight on this problem > > Considering this example from here - > http://simple-evcorr.sourceforge.net/man.html#lbAD > > > > /usr/bin/sec --conf=/etc/sec/sshd.rules --input=/var/log/secure-current.log > > in order to monitor the /var/log/secure file for sshd events. > > Also, suppose that the /etc/sec/sshd.rules configuration file contains the > following rule for correlating SSH failed login events: > > > > type=SingleWithThreshold > > ptype=RegExp > > context=[_FILE_EVENT_/var/log/secure-current.log] > > pattern=sshd\[\d+\]: Failed .+ for (\S+) from [\d.]+ port \d+ ssh2 > > desc=10 SSH login failures within 2 days for user $1 > > action=pipe '%s' /bin/mail -s 'SSH login alert' root@localhost > > window=172800 > > thresh=10 > > > > Requirement – : > > Alert if number of login failures for a user is more than 10 times over a > period of 2 days (48 hours). > > Also the log /var/log/secure.log rotates every midnight. > > The log directory will look something like this : > > $ls /var/log > secure-20160102-000030.log > secure-20160103-000030.log > > secure-20160104-000030.log > secure-current.log -> secure-20160104-000030.log > > > > Question –: > > How to save the operation count (which sec will construct from desc ), as > when the log rotates the count is lost? > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
