hi Nitesh,
the hack has been already suggested in one of the previous posts -- you
need to look into /etc/logrotate.d/sec and modify it accordingly:
http://sourceforge.net/p/simple-evcorr/mailman/message/34748507/
Also, I would strongly recommend to upgrade from 2.4.0 version to the
latest 2.7 branch, since the 2.4.0 version is 10 years old and 2.4 branch
was obsoleted in 2009. In the case you are running RHEL5, you can fetch a
more modern sec rpm package from EPEL repository:
https://dl.fedoraproject.org/pub/epel/5/x86_64/repoview/sec.html
regards,
risto
2016-01-11 12:59 GMT+02:00 nitesh kumar <delhinitesh2...@gmail.com>:
>
> Hey,
>
>
> Thanks a lot of the reply and your inputs.
>
> Yes you are correct, this is happening when log rotation happens, which is
> everyday. Also sec is not restarted during this.
> I am working on RHEL unix boxes.
>
> I checked I have older version of SEC
> SEC (Simple Event Correlator) 2.4.0
>
> Do you think if it is upgraded the problem will go away? Also I am not
> entirely sure if it will be updated as it is not on my private system but
> the organization I work in.
> Can you suggest any other hack which will help to solve the problem.
>
>
> On Fri, Jan 8, 2016 at 3:05 PM, Risto Vaarandi <risto.vaara...@gmail.com>
> wrote:
>
>> That's probably the best way to manually fix it on Fedora.
>>
>> However, this change has already been included into most recent (>=
>> 2.7.7) RPM packages for Fedora and Centos platforms:
>> http://koji.fedoraproject.org/koji/buildinfo?buildID=703582
>> http://koji.fedoraproject.org/koji/buildinfo?buildID=703588
>>
>> Unless you are running an older Fedora/Centos where you can't update the
>> sec package, I would simply recommend to upgrade sec from the EPEL
>> repository for making that change. Of course, for other and more exotic
>> platforms manual change might still be necessary.
>>
>> kind regards,
>> risto
>>
>>
>>
>> 2016-01-08 4:40 GMT+02:00 Bill Shirley <bshir...@memphis.apirx.biz>:
>>
>>> I'm not the original poster. Just hoping this helps:
>>> [0:root@elmo Maildir]$ cat /etc/redhat-release
>>> Fedora release 22 (Twenty Two)
>>> [0:root@elmo Maildir]$ cat /etc/logrotate.d/sec
>>> /var/log/sec {
>>> missingok
>>> notifempty
>>> sharedscripts
>>> postrotate
>>> # /sbin/service sec reload >/dev/null 2>&1 || true
>>> /bin/kill -USR2 `cat /run/sec.pid 2> /dev/null` 2> /dev/null ||
>>> true
>>> endscript
>>> }
>>>
>>>
>>> Bill
>>>
>>> On 1/7/2016 4:21 AM, Risto Vaarandi wrote:
>>> > hi Nitesh,
>>> > is the problem caused by system log rotation which happens once a day?
>>> Is sec restarted during log rotation? This should not
>>> > happen, since sec is able to handle rotation of its input files and
>>> switch over to new input file instance in a fully automated
>>> > way. When sec's own log file needs to be rotated, this doesn't require
>>> restarting sec either, and the USR2 signal forces sec to
>>> > create a new log file instance after rotation.
>>> >
>>> > So if sec is restarted during log rotation, it is entirely
>>> unnecessary, and I would recommend to fix the log rotation
>>> > configuration. Can you tell us on what platform you are running sec
>>> and which tool is used for log rotation tasks? Since you
>>> > have /var/log/secure in the /var/log directory, I have a feeling it is
>>> Centos/RedHat/Fedora platform?
>>> >
>>> > kind regards,
>>> > risto
>>> >
>>> > 2016-01-07 9:37 GMT+02:00 nitesh kumar <delhinitesh2...@gmail.com
>>> <mailto:delhinitesh2...@gmail.com>>:
>>>
>>> >
>>> > Hey can you please provide some insight on this problem
>>> >
>>> > Considering this example from here -
>>> http://simple-evcorr.sourceforge.net/man.html#lbAD
>>> >
>>> > /usr/bin/sec --conf=/etc/sec/sshd.rules
>>> --input=/var/log/secure-current.log
>>> >
>>> > in order to monitor the /var/log/secure file for sshd events.
>>> >
>>> > Also, suppose that the /etc/sec/sshd.rules configuration file
>>> contains the following rule for correlating SSH failed login
>>> > events:
>>> >
>>> > type=SingleWithThreshold
>>> >
>>> > ptype=RegExp
>>> >
>>> > context=[_FILE_EVENT_/var/log/secure-current.log]
>>> >
>>> > pattern=sshd\[\d+\]: Failed .+ for (\S+) from [\d.]+ port \d+ ssh2
>>> >
>>> > desc=10 SSH login failures within 2 days for user $1
>>> >
>>> > action=pipe '%s' /bin/mail -s 'SSH login alert' root@localhost
>>> >
>>> > window=172800
>>> >
>>> > thresh=10
>>> >
>>> > Requirement – :
>>> >
>>> > Alert if number of login failures for a user is more than 10 times
>>> over a period of 2 days (48 hours).
>>> >
>>> > Also the log /var/log/secure.log rotates every midnight.
>>> >
>>> > The log directory will look something like this :
>>> >
>>> > $ls /var/log
>>> > secure-20160102-000030.log
>>> > secure-20160103-000030.log
>>> >
>>> > secure-20160104-000030.log
>>> > secure-current.log -> secure-20160104-000030.log
>>> >
>>> > Question –:
>>> >
>>> > How to save the operation count (which sec will construct from
>>> desc ), as when the log rotates the count is lost?
>>> >
>>> >
>>> >
>>>
>>> ------------------------------------------------------------------------------
>>> >
>>> > _______________________________________________
>>> > Simple-evcorr-users mailing list
>>> > Simple-evcorr-users@lists.sourceforge.net <mailto:
>>> Simple-evcorr-users@lists.sourceforge.net>
>>> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>> >
>>> >
>>> >
>>> >
>>> >
>>> ------------------------------------------------------------------------------
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Simple-evcorr-users mailing list
>>> > Simple-evcorr-users@lists.sourceforge.net
>>> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>> >
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> Simple-evcorr-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>
>>
>
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
