hi all,
in the past, there have been several questions in the mailing list about
support for input file names with variable parts (such as timestamps).
While this question can be addressed with setting up a constant symbolic
link to input file, this approach does not work for platforms which don't
support symbolic links. Also, symbolic link involves the following caveat -
if the link does not exist already at sec startup, sec will not be able to
open the input file immediately.
For the reasons above, I have been thinking of implementing support for
such file names in the next sec version. One way would be re-evaluation of
input file pattern (say, /var/log/mylog*) after short time periods, but
this approach is neither elegant nor lightweight. However, one could also
address this problem with actions like 'register_input' and
'unregister_input'. The first action would simply add the given file name
into the list of input files and attempt to open it (unsuccessful open
would still leave the file in the list of inputs and it would continue be
treated as a regular input file, with attempts to reopen it if
--reopen_timeout command line option has been specified). Likewise,
'unregister_input' would remove the input file from the list of inputs.
Also, for implementing above two actions there are two possible paths.
Firstly, they could be allowed to disable/modify inputs provided in command
line with --input options. As the second alternative, they could simply
allow for creating temporary inputs which do not overlap with the ones from
command line (for example, with --input=/var/log/messages command line
option, 'unregister_input /var/log/messages' would fail and produce a
warning message).
A question to the mailing list members -- would you see the need for such
actions, and if yes, do you have some remarks and suggestions about
potential implementation?
kind regards,
risto
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
