I'm not the original poster. Just hoping this helps:
[0:root@elmo Maildir]$ cat /etc/redhat-release
Fedora release 22 (Twenty Two)
[0:root@elmo Maildir]$ cat /etc/logrotate.d/sec
/var/log/sec {
missingok
notifempty
sharedscripts
postrotate
# /sbin/service sec reload >/dev/null 2>&1 || true
/bin/kill -USR2 `cat /run/sec.pid 2> /dev/null` 2> /dev/null || true
endscript
}
Bill
On 1/7/2016 4:21 AM, Risto Vaarandi wrote:
> hi Nitesh,
> is the problem caused by system log rotation which happens once a day? Is sec
> restarted during log rotation? This should not
> happen, since sec is able to handle rotation of its input files and switch
> over to new input file instance in a fully automated
> way. When sec's own log file needs to be rotated, this doesn't require
> restarting sec either, and the USR2 signal forces sec to
> create a new log file instance after rotation.
>
> So if sec is restarted during log rotation, it is entirely unnecessary, and I
> would recommend to fix the log rotation
> configuration. Can you tell us on what platform you are running sec and which
> tool is used for log rotation tasks? Since you
> have /var/log/secure in the /var/log directory, I have a feeling it is
> Centos/RedHat/Fedora platform?
>
> kind regards,
> risto
>
> 2016-01-07 9:37 GMT+02:00 nitesh kumar <[email protected]
> <mailto:[email protected]>>:
>
> Hey can you please provide some insight on this problem
>
> Considering this example from here -
> http://simple-evcorr.sourceforge.net/man.html#lbAD
>
> /usr/bin/sec --conf=/etc/sec/sshd.rules
> --input=/var/log/secure-current.log
>
> in order to monitor the /var/log/secure file for sshd events.
>
> Also, suppose that the /etc/sec/sshd.rules configuration file contains
> the following rule for correlating SSH failed login
> events:
>
> type=SingleWithThreshold
>
> ptype=RegExp
>
> context=[_FILE_EVENT_/var/log/secure-current.log]
>
> pattern=sshd\[\d+\]: Failed .+ for (\S+) from [\d.]+ port \d+ ssh2
>
> desc=10 SSH login failures within 2 days for user $1
>
> action=pipe '%s' /bin/mail -s 'SSH login alert' root@localhost
>
> window=172800
>
> thresh=10
>
> Requirement – :
>
> Alert if number of login failures for a user is more than 10 times over a
> period of 2 days (48 hours).
>
> Also the log /var/log/secure.log rotates every midnight.
>
> The log directory will look something like this :
>
> $ls /var/log
> secure-20160102-000030.log
> secure-20160103-000030.log
>
> secure-20160104-000030.log
> secure-current.log -> secure-20160104-000030.log
>
> Question –:
>
> How to save the operation count (which sec will construct from desc ),
> as when the log rotates the count is lost?
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
