My IDS system uses a file called snort.u2.xxxx.
this file roles over every night during a service restart and starts at 0 size after the restart of the service.
I have had a problem when the Snort service restarts that sometimes this file hangs.
I want to be alerted if this file does not grow beyond a certain size in a given time.
Then I want the alert to restart the Snortd service and monitor again for a given time and size.
Anyone have any ideas how I can do this
Using a fschange input might be helpful here. By monitoring the file, and setting the option "sendEventMaxSize = N" then when the input checks the file, it will only send the contents of the file upto N bytes. If no content is sent, then you have progress. Not exactly what you are looking for, but without a perl/bash/python/etc script, I don't think it's possible. That is the other option, by the way. Write a scripted input to output the filesize of the file, and perform your search on that input.
http://docs.splunk.com/Documentation/Splunk/5.0/Data/Monitorchangestoyourfilesystem
http://docs.splunk.com/Documentation/Splunk/5.0/admin/inputsconf
Using a fschange input might be helpful here. By monitoring the file, and setting the option "sendEventMaxSize = N" then when the input checks the file, it will only send the contents of the file upto N bytes. If no content is sent, then you have progress. Not exactly what you are looking for, but without a perl/bash/python/etc script, I don't think it's possible. That is the other option, by the way. Write a scripted input to output the filesize of the file, and perform your search on that input.
http://docs.splunk.com/Documentation/Splunk/5.0/Data/Monitorchangestoyourfilesystem
http://docs.splunk.com/Documentation/Splunk/5.0/admin/inputsconf