hi, the SECRC environment variable can only point to one file, and you need to set this variable differently for each instance. For example:
env SECRC=/etc/sec/secrc1 /usr/bin/sec --pid=/run/sec1.pid --log=/var/log/sec1.log env SECRC=/etc/sec/secrc2 /usr/bin/sec --pid=/run/sec2.pid --log=/var/log/sec2.log In other words, the resource file is not designed as a mechanism for starting multiple instances, but it rather provides options for one specific instance. If you are using a Linux distribution with systemd, I would recommend to use the Environment directive in sec service files (if I am not mistaken, %I specifier can be used with Environment directive which allows for having just one service file for multiple sec instances, and set instance name based value for SECRC). If you have systemd, there is also a relevant example in sec rule repository: https://github.com/simple-evcorr/rulesets/blob/master/systemd.md kind regards, risto 2016-10-04 22:30 GMT+03:00 Yahoo <rahni.wal...@yahoo.com>: > Hello Mr. Vaarandi, > > I though the SECRC variable only points to one location? We have this defined > in /etc/sysconfig/sec: > Export SECRC=/etc/sec/secrc > > Should I just be adding appending locations to the environment variable ie > > Export SECRC=$SECRC:/etc/sec/secrc:/etc/sec/secrc2 ...etc > > And if we did that, how would each instance of sec know which path to use for > its resource file..? > > Thank you > > >> On Oct 4, 2016, at 11:55 AM, Risto Vaarandi <risto.vaara...@gmail.com> wrote: >> >> hi, >> when a sec process reads its resource file, *all* options from the >> resource file are appended to its command line options (comment lines >> and whitespace lines are excluded from consideration). Therefore, when >> you start several sec instances with the same resource file, each >> instance has identical command line options (an excerpt from sec dump >> file): >> >> Program information: >> ============================================================ >> Program version: SEC (Simple Event Correlator) 2.7.8 >> Time of the start: Tue Oct 4 21:39:04 2016 >> Time of the last configuration load: Tue Oct 4 21:39:04 2016 >> Time of the dump: Tue Oct 4 21:39:39 2016 >> Program resource file: /home/risto/secrc >> Program options: -conf=/etc/sec/app1.sec -input=/var/log/app1.log >> -conf=/etc/sec/app2.sec -input=/var/log/app2.log >> -conf=/etc/sec/app3.sec -input=/var/log/app3.log >> -conf=/etc/sec/app4.sec -input=/var/log/app4.log >> -conf=/etc/sec/app5.sec -input=/var/log/app5.log >> -conf=/etc/sec/app6.sec -input=/var/log/app6.log >> >> Environment: >> ============================================================ >> ... >> SECRC=/home/risto/secrc >> >> >> In order to address this problem, you need to set up a separate >> resource file for each instance. >> >> Hope this helps, >> risto >> >> >> 2016-10-04 20:56 GMT+03:00 Yahoo <rahni.wal...@yahoo.com>: >>> Hello, >>> >>> >>> We have an issue where we are managing several monitors for several >>> different log files; due to our setup, we need to utilize the resource file >>> to be able to add the correct configurations i (we used to do this in >>> /etc/sysconfig/sec with several sec_args[n]=<content> arguments, but we >>> needed to use the resource file to automate our process) >>> >>> >>> However, we are seeing a problem. >>> >>> We have pairs of inputs and config files listed in the resource file. For >>> example: >>> >>> # App1 error monitoring >>> >>> -conf=/etc/sec/app1.sec >>> -input=/var/log/app1.log >>> >>> # App2 error monitoring >>> >>> -conf=/etc/sec/app2.sec >>> -input=/var/log/app2.log >>> >>> # App3 error monitoring >>> >>> -conf=/etc/sec/app3.sec >>> -input=/var/log/app3.log >>> >>> # app4 error monitoring >>> >>> -conf=/etc/sec/app4.sec >>> -input=/var/log/app4.log >>> >>> # app5 error monitoring >>> >>> -conf=/etc/sec/app5.sec >>> -input=/var/log/app5.log >>> >>> # app6 error monitoring >>> >>> -conf=/etc/sec/app6.sec >>> -input=/var/log/app6.log >>> >>> But when we start sec, we get some conf files using the wrong input, for >>> instance, we get the -conf file for app1 utilizing the input for app2. >>> >>> How do we get around this? Is it something to do with the buffer options...? >>> >>> We just want each pair only to monitor the input file listed below it. >>> >>> >>> Thank you >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Simple-evcorr-users mailing list >>> Simple-evcorr-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >>> > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
