hi Penelope,
since 'obsolete' is a SEC action, it can not be called in Perl, but
you rather need some sort of loop written in the SEC rule language.
Fortunately, SEC supports the 'while' action that executes an action
list as long as the given action list variable evaluates true in
boolean context. That allows you to write a loop for processing a
context event store, since there is 'getsize' action for finding the
number of events in the store, and 'shift' (or 'pop') action for
removing an element from the beginning (or end) of the store. For
taking advantage of this functionality for your task, you just have to
write relevant context names into the event store of some context, and
then process this context with a loop.
Here is an example ruleset that illustrates the idea:
type=Single
ptype=SubStr
pattern=SEC_SHUTDOWN
context=SEC_INTERNAL_EVENT
desc=Save contexts msg_* into /tmp/report.* on shutdown
action=lcall %ret -> ( sub { join("\n", grep { /^msg_/ } keys
%main::context_list) } ); \
fill BUFFER %ret; getsize %size BUFFER; \
while %size ( shift BUFFER %name; obsolete %name; getsize %size BUFFER )
type=single
ptype=regexp
pattern=create (\S+)
desc=create the $1 context
action=create $1 3600 ( report $1 /bin/cat > /tmp/report.$1 )
type=single
ptype=regexp
pattern=add (\S+) (.+)
desc=add string $2 to the $1 context
action=add $1 $2
The 'lcall' action in the first rule executes the following Perl code:
join("\n", grep { /^msg_/ } keys %main::context_list)
This code is matching all context names with the "msg_" prefix and
joining such names into a multiline string.
The following 'fill' action splits this multiline string by newline,
and writes individual context names into the event store of the BUFFER
context.
The number of context names in the event store is then established
with getsize %size BUFFER, and then the 'while' loop gets executed:
while %size ( shift BUFFER %name; obsolete %name; getsize %size BUFFER)
Inside the loop, context names are taken from the event store one by
one, and the 'obsolete' action is called for each context name.
One note of caution -- 'obsolete' triggers the 'report' action which
forks a separate process, and a forked process has 3 seconds for
finishing its work before receiving TERM signal from SEC (if the
process has to run longer, a signal handler must be set up for TERM).
Hopefully the above rule example is useful.
kind regards,
risto
Kontakt sec-user--- via Simple-evcorr-users
(<simple-evcorr-users@lists.sourceforge.net>) kirjutas kuupƤeval T,
15. detsember 2020 kell 01:39:
>
> Hello!
>
> I'm dabbling with SEC, experimenting with adding lines into contexts and only
> when the context is finished, decide what to do with it. Essentially it's
> taking a look at the group of log messages emitted by sendmail for every
> connection, looking for behaviour that is not consistent with being an
> honored guest on the internet, and blocking the source with iptables and
> ipset.
>
> The problem is that I'm testing with the same input file over and over, but
> the 'report' actions aren't running because the entire log file is processed
> in less than 10 seconds:
>
> sec --conf sendmail.test \
> --input /tmp/all.logs \
> --fromstart \
> --notail \
> --bufsize=1 \
> --log=- \
> --intevents \
> --intcontexts \
> --debug=50
>
> Rather than write some perl to run in the SEC_SHUTDOWN internal event to
> write the context buffers to files, I'd really rather just run the 'obsolete'
> action on all contexts. Is there a straightforward way to do that?
>
> type=Single
> ptype=SubStr
> pattern=SEC_SHUTDOWN
> context=SEC_INTERNAL_EVENT
> desc=Save contexts msg_* into /tmp/report.* on shutdown
> action=logonly; lcall %ret -> ( sub { my($context); \
> foreach $context (keys %main::context_list) { obsolete $context; } \
> } )
>
> Mon Dec 14 14:49:34 2020: Code 'CODE(0x560fca302fb8)' runtime error: Can't
> locate object method "obsolete" via package "msg_sendmail[4208]" (perhaps you
> forgot to load "msg_sendmail[4208]"?) at (eval 9) line 1.
>
> For better testing, it would be cool if SEC's idea of the current time could
> be derived from the timestamps in the log file instead of wall-clock time, so
> that context actions happen at the right time relative to log messages
> (rather than 30 seconds after the program ends! :-), but that's probably a
> bit too much to ask for.
>
> Thanks!
>
> --
>
> Penelope Fudd
>
> sec-u...@ch.pkts.ca
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
