That's probably the best way to manually fix it on Fedora.
However, this change has already been included into most recent (>= 2.7.7)
RPM packages for Fedora and Centos platforms:
http://koji.fedoraproject.org/koji/buildinfo?buildID=703582
http://koji.fedoraproject.org/koji/buildinfo?buildID=703588
Unless you are running an older Fedora/Centos where you can't update the
sec package, I would simply recommend to upgrade sec from the EPEL
repository for making that change. Of course, for other and more exotic
platforms manual change might still be necessary.
kind regards,
risto
2016-01-08 4:40 GMT+02:00 Bill Shirley <bshir...@memphis.apirx.biz>:
> I'm not the original poster. Just hoping this helps:
> [0:root@elmo Maildir]$ cat /etc/redhat-release
> Fedora release 22 (Twenty Two)
> [0:root@elmo Maildir]$ cat /etc/logrotate.d/sec
> /var/log/sec {
> missingok
> notifempty
> sharedscripts
> postrotate
> # /sbin/service sec reload >/dev/null 2>&1 || true
> /bin/kill -USR2 `cat /run/sec.pid 2> /dev/null` 2> /dev/null ||
> true
> endscript
> }
>
>
> Bill
>
> On 1/7/2016 4:21 AM, Risto Vaarandi wrote:
> > hi Nitesh,
> > is the problem caused by system log rotation which happens once a day?
> Is sec restarted during log rotation? This should not
> > happen, since sec is able to handle rotation of its input files and
> switch over to new input file instance in a fully automated
> > way. When sec's own log file needs to be rotated, this doesn't require
> restarting sec either, and the USR2 signal forces sec to
> > create a new log file instance after rotation.
> >
> > So if sec is restarted during log rotation, it is entirely unnecessary,
> and I would recommend to fix the log rotation
> > configuration. Can you tell us on what platform you are running sec and
> which tool is used for log rotation tasks? Since you
> > have /var/log/secure in the /var/log directory, I have a feeling it is
> Centos/RedHat/Fedora platform?
> >
> > kind regards,
> > risto
> >
> > 2016-01-07 9:37 GMT+02:00 nitesh kumar <delhinitesh2...@gmail.com
> <mailto:delhinitesh2...@gmail.com>>:
> >
> > Hey can you please provide some insight on this problem
> >
> > Considering this example from here -
> http://simple-evcorr.sourceforge.net/man.html#lbAD
> >
> > /usr/bin/sec --conf=/etc/sec/sshd.rules
> --input=/var/log/secure-current.log
> >
> > in order to monitor the /var/log/secure file for sshd events.
> >
> > Also, suppose that the /etc/sec/sshd.rules configuration file
> contains the following rule for correlating SSH failed login
> > events:
> >
> > type=SingleWithThreshold
> >
> > ptype=RegExp
> >
> > context=[_FILE_EVENT_/var/log/secure-current.log]
> >
> > pattern=sshd\[\d+\]: Failed .+ for (\S+) from [\d.]+ port \d+ ssh2
> >
> > desc=10 SSH login failures within 2 days for user $1
> >
> > action=pipe '%s' /bin/mail -s 'SSH login alert' root@localhost
> >
> > window=172800
> >
> > thresh=10
> >
> > Requirement – :
> >
> > Alert if number of login failures for a user is more than 10 times
> over a period of 2 days (48 hours).
> >
> > Also the log /var/log/secure.log rotates every midnight.
> >
> > The log directory will look something like this :
> >
> > $ls /var/log
> > secure-20160102-000030.log
> > secure-20160103-000030.log
> >
> > secure-20160104-000030.log
> > secure-current.log -> secure-20160104-000030.log
> >
> > Question –:
> >
> > How to save the operation count (which sec will construct from desc
> ), as when the log rotates the count is lost?
> >
> >
> >
>
> ------------------------------------------------------------------------------
> >
> > _______________________________________________
> > Simple-evcorr-users mailing list
> > Simple-evcorr-users@lists.sourceforge.net <mailto:
> Simple-evcorr-users@lists.sourceforge.net>
> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> >
> >
> > _______________________________________________
> > Simple-evcorr-users mailing list
> > Simple-evcorr-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
