Simple Event Coordinator (SEC)

Simple Event Coordinator (SEC) is an excellent tool for real-time log monitoring. In my opinion, it is a superior tool to swatch, both because SEC appears to have more features than swatch and because swatch appeared to be bug-ridden and somewhat poorly maintained when I tested it.

SEC home page:
http://www.estpak.ee/~risto/sec/

In my environment, I monitor multiple log files with SEC. Since SEC can only monitor one log file per instance, I use a custom startup and shutdown script to make it easy to add and delete SEC configuration files.

For example, if I want to monitor /var/adm/messages and /var/log/maillog with SEC, I create _var_adm_messages and _var_log_maillog SEC configuration files in $SEC_DIR. The custom SEC startup and shutdown script converts the underscores in each SEC configuration file filename to a slash to determine the log file to monitor.

$SEC_DIR/_var_adm_messages is a SEC configuration file for /var/adm/messages.
$SEC_DIR/_var_log_maillog is a SEC configuration file for /var/log/maillog.
etc.

_var_adm_messages contents:

type=SingleWithSuppress
ptype=regexp
pattern=WARNING:\s(\S+):\sFile system full
desc=$1 file system full
action=pipe '$0' /bin/mailx -s "%s" user@example.com
window=1800

type=SingleWithSuppress
ptype=regexp
pattern=fork: Not enough space
desc=fork: Not enough space
action=pipe '$0' /bin/mailx -s "%s" user@example.com
window=1800

_var_log_maillog contents:

type=SingleWithThreshold
ptype=regexp
pattern=Domain of sender address .*\@(.*) does not (exist|resolve)
desc=Multiple DNS problems with $1
action=pipe '$0' /bin/mailx -s "%s" user@example.com
thresh=60
window=60

type=SingleWithSuppress
ptype=regexp
pattern=from=.*451 4\.4\.3 Temporary lookup failure of
desc=DNS problems with DNSBL
action=pipe '$0' /bin/mailx -s "%s" user@example.com
window=60

SEC startup and shutdown script

#!/bin/sh

# Files in $SEC_DIR are sec.pl configuration files as well
# as names of files to tail. Directory paths are separated with "_" and
# must be converted to "/"
# e.g. _var_adm_messages in $SEC_DIR must be converted to /var/adm/messages

SEC_DIR=/usr/local/sec
SEC=/usr/local/bin/sec.pl

case "$1" in
'start')
   for CFG_FILE in `/usr/bin/ls $SEC_DIR/_*`
   do
      TAIL_FILE=`/usr/bin/basename $CFG_FILE | /usr/bin/tr '_' '/'`
      $SEC --detach --conf ${CFG_FILE} --input $TAIL_FILE
   done
   ;;
'stop')
   /usr/bin/pkill sec.pl
   ;;
'reload')
   /usr/bin/pkill -HUP sec.pl
   ;;
'restart')
   $0 stop
   $0 start
   ;;
*)
   echo "Usage: `/usr/bin/basename $0` { start | stop | reload | restart }"
   exit 1
   ;;
esac
exit 0

To have changes to existing SEC configuration files take effect, run sec reload. If a SEC configuration file is added or deleted, run sec restart.

Back to brandonhutchinson.com.

Simple Event Coordinator (SEC)

SEC startup and shutdown script

Last modified: 2006/06/19