Hello -
I am trying to construct a set of rules that cause a change in behavior if
a certain thing happens.
My first rule catches a particular line from a log file and has an ID of
100500.
Then I have a set of rules that look something like this:
<rule id="100524" level="3" frequency="1" timeframe="300">
<if_matched_sid>100500</if_matched_sid>
<if_sid>550</if_sid>
<match>/a/file/im/interested/in</match>
<description>Acceptable update of /a/file/im/interested/in</description>
</rule>
<rule id="100525" level="3" frequency="1" timeframe="300">
<if_matched_sid>100500</if_matched_sid>
<if_sid>550</if_sid>
<match>/a/differentfile/im/interested/in</match>
<description>Acceptable update of
/a/differentfile/im/interested/in</description>
</rule>
This works just great - the first time through. If, within the 5 minute
period, one of the files is modified, then either rule 100524 or 100525
triggers.
But that is the end of my show. I've been interpreting frequency and
timeframe as count of alerts within the time period - but it appears to me
that my count of alerts is being reset after the first composite rule
fires. Is it not "legal" to have multiple rules watching the frequency of
some other rule? Is there some other simpler problem here with my rules?
Thank you
