hi Jaren,
I can see that your rules are trying to emulate process control via UNIX
signals which are missing on Windows/Strawberry platform. However, I would
*not* recommend to call functions like read_config() directly, since in sec
source code they are executed with a number of additional surrounding
statements. For example, for clean execution of read_config() a number of
hash tables are cleared in sec-2.6.2 source code, but your rules lack these
statements. As a result, your sec instance will run with inconsistent
internal state which could also result in unexpected duplicate output.
If you want to emulate UNIX signals with Strawberry perl, probably the only
reasonable way for that is to set corresponding signal flags (as signal
handlers would do). For example, the following action list would set the
"softrefresh" flag that is raised by ABRT signal (this signal forces SEC to
reopen its inputs and reload its configuration):
lcall %o -> ( sub { $main::softrefresh = 1; } )
When sec sees this flag, it will execute the full code for handling the
ABRT signal and then clear the flag. Therefore, you would not have issues
from partial execution that would most likely lead to inconsistent/corrupt
internal state.
Although the mailing list archive contains an example when USR1 signal is
emulated by calling dump_data() function directly, this example only works
since the handling of USR1 involves executing just dump_data(). But for the
sake of clarity I would personally use the signal flag approach even for
USR1.
However, if you seriously need support for signals and other UNIX-like
functionality, I'd recommend to go with Cygwin perl.
Hope this helps,
risto
2018-01-26 12:59 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
> Hi,
>
> I have a problem with the reading a processing the file logs wit SEC 2.6.2
> on Windows. I use Strawberry Perl.
> I have a main file with regexp and Jump rules for post processing log
> lines.
>
> Example(invented):
>
> rem = Alert 001
> type = Jump
> ptype = RegExp
> desc = $0
> continue = DontCont
> pattern = (.*)
> varmap = alert;log=0;
> cfset = alertSet
>
> After this rules, previously we had problems with the reading and i added
> this calls from SEC library.
>
> #Force reopen file logs at 06:15
> type=Calendar
> time= 15 6 * * *
> desc= $0
> action= lcall %o -> ( sub { main::read_options(); main::open_input(-1,
> $keepopen); } )
>
>
> #Open Files not open yet
> #type=Calendar
> #time= */5 * * * *
> #desc= $0
> #action= lcall %o -> ( sub { main::open_input(0,1); } )
>
>
> #Reload configuration after 2 hours.
> type=Calendar
> time= */15 * * * *
> desc= $0
> action= eval %o (sleep 61;);\
> lcall %o -> ( sub { main::read_config(); } )
>
> The problem it´s when i rexecute(finish process and execute again) alerts
> get duplicated in the output file. any idea to solve this?
>
> I have another doubt where or how do you create file paths from log files
> in library?
>
> Sorry for my english.
>
> Thank you!. Regards. :)
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
