What I do is:
module(load="omprog")
$template myformat,"%hostname%"
action(type="omprog" name="myname" binary="/usr/bin/sec
--conf=/etc/sec/myname --intevents --intcontexts
--dump=/tmp/dumpfile.myname --debug=3 --log=/var/log/sec-myname
--notail --input -" template="myformat" hup.signal="USR2")
this is messy, but it does a lot of things
omprog is the rsyslog module that will start a program, restart it if it dies,
etc.
defining myformat lets me pass things to sec in a format easy for sec to
understand (regex parsing is horribly slow)
then in the action, I call sec with a bunch of parameters so that it logs to a
file (but not too much), has a dumpfile defined, creates events and contexts for
startup/shutdown/restart, and when rsyslog is sent a HUP to roll it's logs, sec
will get USR2 instead of HUP so it won't do a full shutdown/restart
David Lang
On Tue, 12 Apr 2016, Martin Etcheverry wrote:
Date: Tue, 12 Apr 2016 16:08:35 -0300
From: Martin Etcheverry <mar...@etcheverri.com>
To: simple-evcorr-users@lists.sourceforge.net
Subject: [Simple-evcorr-users] rsyslog sending directly log to sec
Hi , i am a noob with sec, i already have a rsyslog sending all logs to
elasticsearch, but i want that some specific events sec triggers a mail to
me.
Maybe is a always asked question , but i didnĀ“t find information about
rsyslog sending the logs (without a file) directly to sec.
Thanks in advance for any hint
Best Regards
Martin
--
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
