On Thu, Aug 30, 2012 at 3:58 PM, Peter Eckel lists@eckel-edv.de wrote:
Hi,
Uhmm .. I am reading the docs about SEC, but it only speaks about event correlation ... How do you do to check if syslog is receiving data??
essentially you set up SEC to watch for the syslog log file where the data are supposed to go, set up a 'Single' rule that creates a context with a lifetime of your choice that has a shellcmd attached to it that sends a mail if it expires.
The context will be refreshed everytime a message comes in. If no message arrives for your given expiry period, it will send a mail.
You can use this as a sample to start with:
type = Single ptype = RegExp pattern = .* desc = Heartbeat received action = create HEARTBEAT_ACTIVE 720 \ shellcmd /bin/echo 'Alert!' | /bin/mail -s test user@example.com
Not very sophisticated (and I have not tested it, so it might contain errors), but something very similar to it should do the trick.
It is a really good approach if I use plain log files ... But this syslog process acts as a syslog server and stores logs in a mysql DB...