I had a busy weekend and Monday, so I didn't get to work on this project as much as I would have liked.
Today, I worked on splitting out the emerg, crit, and alert messages so they may be acted upon more rapidly. I also got the max file size with rotation set up for all the files that will be read by SEC. The rotation was incredibly simple with rsyslog.
After today's work (and some new filesystem creation) the config file for rsyslog looks like this:
$ModLoad immark $ModLoad ommail $MarkMessagePeriod 1200 $ModLoad imuxsock $ModLoad imudp $UDPServerAddress * $UDPServerRun 514 $ModLoad imtcp $template HostDirs,"/logs/archive/%HOSTNAME%/%$year%/%$month%/%$day%/%syslogfacility-text%-%syslogseverity-text%.log" $outchannel all_log, /logs/current/all.log, 52428800, /logs/current/rotate.all.log.sh $outchannel emerg_log, /logs/current/emerg.log, 52428800, /logs/current/rotate.emerg.log.sh $outchannel crit_log, /logs/current/crit.log, 52428800, /logs/current/rotate.crit.log.sh $outchannel alert_log, /logs/current/alert.log, 52428800, /logs/current/rotate.alert.log.sh *.* ?HostDirs & $all_log *.=emerg $emerg_log *.=alert $alert_log *.=crit $crit_log</pre>
Unless something unforeseen comes up, I think I'm probably done with the rsyslog config file. All the heavy lifting will be done by SEC.
First, I'll write SEC config files that parse through the emerg, alert, and crit logs in the same way a Perl script does today. It shouldn't be too hard to port a Perl script in to SEC config language. The hard part will be the handling of everything that goes in to all.log.
This morning, rsyslog 4.2.0 was released with a tag of STABLE. Given the stable tag, I'll probably update my package to 4.2.0 and start using it in a few days.