SEC (NETS notes)
SEC (Simple Event Correlator) has replaced Swatch as the primary
tool to watch log files in real time.
As compared to Swatch, SEC:
- Is context-aware, so it can correlate multiple events
- Can monitor multiple files with a single instance
- Features automatic log rollover detection
- Easily emulates swatch behavior (see config stanza below)
- Appears to have a reliable throttling mechanism
- Is relatively easy to configure
- Is available in the Debian repositories
http://www.estpak.ee/~risto/sec/
NETS has SEC deployed as a Debian package on netserver. It runs
as a daemon and can be started and stopped using the standard init
script:
/etc/init.d/sec {stop|start|reload}
- SEC's configuration file is /etc/syslog-ng/logwatch.sec
- It watches the file /var/log/syslog
- It produces its own log file /var/log/sec.log which is rotated
weekly
SEC should be reloaded to trigger a re-read of its configuration file.
It is also reloaded by logrotate when its log file is rotated.
Here is a configuration stanza that we use, followed by a
description of each line:
type=SingleWithSuppress
ptype=regexp
pattern=SYS-5-SUP_MODSBY
desc=SupModReset Noticeaction=pipe
'$0' /usr/bin/mail -s "%s" ne
window=300
- type=SingleWithSuppress specifies a throttled match
- window=300 defines a 5-minute throttle
- ptype=regexp specifies that we want to use perl regular
expression matching, which allows string capture and replay in the
action
- pattern= is the specific pattern we're looking for in the log
file. There is an implicit /.* and .*/ surrounding the pattern.
- desc= defines the subject of this stanza
- action=pipe sends '$0' (the whole matched pattern) to mail with a
subject of "SupModReset Notice"
Refer to the man page or the SEC web page for additional configuration
options.
