hi Penelope, since 'obsolete' is a SEC action, it can not be called in Perl, but you rather need some sort of loop written in the SEC rule language. Fortunately, SEC supports the 'while' action that executes an action list as long as the given action list variable evaluates true in boolean context. That allows you to write a loop for processing a context event store, since there is 'getsize' action for finding the number of events in the store, and 'shift' (or 'pop') action for removing an element from the beginning (or end) of the store. For taking advantage of this functionality for your task, you just have to write relevant context names into the event store of some context, and then process this context with a loop.
Here is an example ruleset that illustrates the idea: type=Single ptype=SubStr pattern=SEC_SHUTDOWN context=SEC_INTERNAL_EVENT desc=Save contexts msg_* into /tmp/report.* on shutdown action=lcall %ret -> ( sub { join("\n", grep { /^msg_/ } keys %main::context_list) } ); \ fill BUFFER %ret; getsize %size BUFFER; \ while %size ( shift BUFFER %name; obsolete %name; getsize %size BUFFER ) type=single ptype=regexp pattern=create (\S+) desc=create the $1 context action=create $1 3600 ( report $1 /bin/cat > /tmp/report.$1 ) type=single ptype=regexp pattern=add (\S+) (.+) desc=add string $2 to the $1 context action=add $1 $2 The 'lcall' action in the first rule executes the following Perl code: join("\n", grep { /^msg_/ } keys %main::context_list) This code is matching all context names with the "msg_" prefix and joining such names into a multiline string. The following 'fill' action splits this multiline string by newline, and writes individual context names into the event store of the BUFFER context. The number of context names in the event store is then established with getsize %size BUFFER, and then the 'while' loop gets executed: while %size ( shift BUFFER %name; obsolete %name; getsize %size BUFFER) Inside the loop, context names are taken from the event store one by one, and the 'obsolete' action is called for each context name. One note of caution -- 'obsolete' triggers the 'report' action which forks a separate process, and a forked process has 3 seconds for finishing its work before receiving TERM signal from SEC (if the process has to run longer, a signal handler must be set up for TERM). Hopefully the above rule example is useful. kind regards, risto Kontakt sec-user--- via Simple-evcorr-users (<simple-evcorr-users@lists.sourceforge.net>) kirjutas kuupƤeval T, 15. detsember 2020 kell 01:39: > > Hello! > > I'm dabbling with SEC, experimenting with adding lines into contexts and only > when the context is finished, decide what to do with it. Essentially it's > taking a look at the group of log messages emitted by sendmail for every > connection, looking for behaviour that is not consistent with being an > honored guest on the internet, and blocking the source with iptables and > ipset. > > The problem is that I'm testing with the same input file over and over, but > the 'report' actions aren't running because the entire log file is processed > in less than 10 seconds: > > sec --conf sendmail.test \ > --input /tmp/all.logs \ > --fromstart \ > --notail \ > --bufsize=1 \ > --log=- \ > --intevents \ > --intcontexts \ > --debug=50 > > Rather than write some perl to run in the SEC_SHUTDOWN internal event to > write the context buffers to files, I'd really rather just run the 'obsolete' > action on all contexts. Is there a straightforward way to do that? > > type=Single > ptype=SubStr > pattern=SEC_SHUTDOWN > context=SEC_INTERNAL_EVENT > desc=Save contexts msg_* into /tmp/report.* on shutdown > action=logonly; lcall %ret -> ( sub { my($context); \ > foreach $context (keys %main::context_list) { obsolete $context; } \ > } ) > > Mon Dec 14 14:49:34 2020: Code 'CODE(0x560fca302fb8)' runtime error: Can't > locate object method "obsolete" via package "msg_sendmail[4208]" (perhaps you > forgot to load "msg_sendmail[4208]"?) at (eval 9) line 1. > > For better testing, it would be cool if SEC's idea of the current time could > be derived from the timestamps in the log file instead of wall-clock time, so > that context actions happen at the right time relative to log messages > (rather than 30 seconds after the program ends! :-), but that's probably a > bit too much to ask for. > > Thanks! > > -- > > Penelope Fudd > > sec-u...@ch.pkts.ca > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users