Hi,
> Uhmm .. I am reading the docs about SEC, but it only speaks about
> event correlation ... How do you do to check if syslog is receiving
> data??
essentially you set up SEC to watch for the syslog log file where the data are supposed to go, set up a 'Single' rule that creates a context with a lifetime of your choice that has a shellcmd attached to it that sends a mail if it expires.
The context will be refreshed everytime a message comes in. If no message arrives for your given expiry period, it will send a mail.
You can use this as a sample to start with:
type = Single
ptype = RegExp
pattern = .*
desc = Heartbeat received
action = create HEARTBEAT_ACTIVE 720 \
shellcmd /bin/echo 'Alert!' | /bin/mail -s test user at example.com
Not very sophisticated (and I have not tested it, so it might contain errors), but something very similar to it should do the trick.