On Thu, Aug 30, 2012 at 3:58 PM, Peter Eckel <lists at eckel-edv.de> wrote: > Hi, > >> Uhmm .. I am reading the docs about SEC, but it only speaks about >> event correlation ... How do you do to check if syslog is receiving >> data?? > > essentially you set up SEC to watch for the syslog log file where the data are supposed to go, set up a 'Single' rule that creates a context with a lifetime of your choice that has a shellcmd attached to it that sends a mail if it expires. > > The context will be refreshed everytime a message comes in. If no message arrives for your given expiry period, it will send a mail. > > You can use this as a sample to start with: > > type = Single > ptype = RegExp > pattern = .* > desc = Heartbeat received > action = create HEARTBEAT_ACTIVE 720 \ > shellcmd /bin/echo 'Alert!' | /bin/mail -s test user at example.com > > Not very sophisticated (and I have not tested it, so it might contain errors), but something very similar to it should do the trick. > It is a really good approach if I use plain log files ... But this syslog process acts as a syslog server and stores logs in a mysql DB...