Hi,
Uhmm .. I am reading the docs about SEC, but it only speaks about event correlation ... How do you do to check if syslog is receiving data??
essentially you set up SEC to watch for the syslog log file where the data are supposed to go, set up a 'Single' rule that creates a context with a lifetime of your choice that has a shellcmd attached to it that sends a mail if it expires.
The context will be refreshed everytime a message comes in. If no message arrives for your given expiry period, it will send a mail.
You can use this as a sample to start with:
type = Single ptype = RegExp pattern = .* desc = Heartbeat received action = create HEARTBEAT_ACTIVE 720 \ shellcmd /bin/echo 'Alert!' | /bin/mail -s test user@example.com
Not very sophisticated (and I have not tested it, so it might contain errors), but something very similar to it should do the trick.