On Thu, Aug 30, 2012 at 3:58 PM, Peter Eckel <lists@xxxxxxxxxxxx> wrote:
> Hi,
>
>> Uhmm .. I am reading the docs about SEC, but it only speaks about
>> event correlation ... How do you do to check if syslog is receiving
>> data??
>
> essentially you set up SEC to watch for the syslog log file where the data are supposed to go, set up a 'Single' rule that creates a context with a lifetime of your choice that has a shellcmd attached to it that sends a mail if it expires.
>
> The context will be refreshed everytime a message comes in. If no message arrives for your given expiry period, it will send a mail.
>
> You can use this as a sample to start with:
>
> type = Single
> ptype = RegExp
> pattern = .*
> desc = Heartbeat received
> action = create HEARTBEAT_ACTIVE 720 \
> shellcmd /bin/echo 'Alert!' | /bin/mail -s test user@xxxxxxxxxxx
>
> Not very sophisticated (and I have not tested it, so it might contain errors), but something very similar to it should do the trick.
>
It is a really good approach if I use plain log files ... But this
syslog process acts as a syslog server and stores logs in a mysql
DB...
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
