[Simple-evcorr-users] trouble-shooting startup

Mon, 24 Oct 2016 13:19:19 -0700 

I have SEC running on one machine.  Works great.

Now I'm trying to persuade SEC to run on a second machine, and I'm having 
trouble.  Seems to load just fine ... but after 'Reading configuration from 
...', SEC doesn't log any messages about "x rules loaded from ...".
And, in fact, it isn't acting on any of those rules (which it hasn't read).

Any tips to offer, for how to trouble-shooting the 'reading / loading' phase?  
I have looked at debug level ... but it seems to me that SEC runs by default at 
debug level 6, i.e. the highest level, and that's what I'm doing.  At any rate, 
adding "-debug=6" to the invocation line hasn't resulted in any additional 
messages arriving in syslog.


GOOD
2016-10-24T10:26:32.587371-07:00 guru sec[16710]: SEC (Simple Event Correlator) 
2.7.10
2016-10-24T10:26:32.587570-07:00 guru sec[16710]: Reading configuration from 
/opt/local/etc/sec/cisco.conf
2016-10-24T10:26:32.588022-07:00 guru sec[16710]: 4 rules loaded from 
/opt/local/etc/sec/cisco.conf
2016-10-24T10:26:32.588140-07:00 guru sec[16710]: Reading configuration from 
/opt/local/etc/sec/isilon.conf
2016-10-24T10:26:32.588296-07:00 guru sec[16710]: 2 rules loaded from 
/opt/local/etc/sec/isilon.conf
2016-10-24T10:26:32.588405-07:00 guru sec[16710]: Reading configuration from 
/opt/local/etc/sec/toc.conf
2016-10-24T10:26:32.590144-07:00 guru sec[16710]: 27 rules loaded from 
/opt/local/etc/sec/toc.conf
2016-10-24T10:26:32.590294-07:00 guru sec[16710]: No --bufsize command line 
option or --bufsize=0, setting --bufsize to 1

BAD
Oct 24 10:38:37 pinda sec[25496]: SEC (Simple Event Correlator) 2.7.10
Oct 24 10:38:37 pinda sec[25496]: Reading configuration from 
/opt/local/etc/sec/cisco.conf
Oct 24 10:38:37 pinda sec[25496]: Reading configuration from 
/opt/local/etc/sec/isilon.conf
Oct 24 10:38:37 pinda sec[25496]: Reading configuration from 
/opt/local/etc/sec/toc.conf
Oct 24 10:38:37 pinda sec[25496]: Opening input file /var/log/syslog



BOTH
cat /etc/system/system/sec.service

[Unit]
Description=Simple Event Correlator
AssertFileIsExecutable=/opt/local/script/sec
AssertPathExistsGlob=/opt/local/etc/sec/*.conf
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/opt/local/script/sec --conf=/opt/local/etc/sec/*.conf 
--input=/var/log/syslog --tail --syslog=local0 --nodetach 
--pid=/var/run/sec.pid --quoting
ExecReload=/bin/kill -HUP $MAINPID
User=root

[Install]
WantedBy=multi-user.target

--sk


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to