hi Graeme,
your posting is apparently empty -- can you re-post your question?
risto
Kontakt Graeme Danielson () kirjutas
kuupäeval N, 6. detsember 2018 kell 05:05:
>
>
>
>
> -- Graeme Danielson tel:+64-21-611345 <+64-21-611345> UTC+13
>
>
>
> Good planets are hard to find - please think of the e
hi Dusan,
the problem lies in the fact that when SingleWithThreshold rule starts a
counting operation, match variables in the 'action' field receive their
values from the first event which triggered that operation (that is done
for staying consistent with substitution of variables in other fields,
d with a new entry:
http://simple-evcorr.github.io/FAQ.html#25
kind regards,
risto
Thank you,
>>
>> Dusan
>> --
>> *Od:* Risto Vaarandi
>> *Odoslané:* piatok, 12. októbra 2018 11:25
>> *Komu:* dusan.so...@hotmail.sk
>> *Kópia:
umentation accordingly.
risto
I like idea to add this as separate FAQ entry.
>
>
>
> Thank you,
>
> Dusan
> ------
> *Od:* Risto Vaarandi
> *Odoslané:* piatok, 12. októbra 2018 11:25
> *Komu:* dusan.so...@hotmail.sk
> *Kópia:* simple-evco
y.
> Thanks for this great piece of software and I really appreciate your
> support and help.
>
I am happy that you like sec and have found it useful :-)
kind regards,
risto
> Dusan
>
> --
> *Od:* Risto Vaarandi
> *Odoslané:* štvrtok, 11.
> Hello SEC Users,
>
>
>
hi Dusan,
Base on SEC documentation *Suppress* rules doesn’t support “continue” field
> like other rules.
>
> My understanding is that if suppress rule match event the search for
> matching rules ends in the *current* configuration file.
>
That's correct, the Suppress ru
hi all,
today, sec-2.8.1 has been released which contains a minor bug fix over the
2.8.0 version.
The new version can be downloaded from:
https://github.com/simple-evcorr/sec/releases/download/2.8.1/sec-2.8.1.tar.gz
Here is the changelog:
--- version 2.8.1
* fixed a bug in dump file creation rou
hi all,
sec FAQ has been updated with an example on how to employ 'addinput' and
'dropinput' actions for tracking input files that contain timestamps in
their names:
http://simple-evcorr.github.io/FAQ.html#24
(With 'addinput' and 'dropinput' actions, one can configure more complex
input tracking
hi all,
today, sec-2.8.0 has been released which contains few minor bugfixes over
sec-2.8.alpha2 and is available from:
https://github.com/simple-evcorr/sec/releases/download/2.8.0/sec-2.8.0.tar.gz
Here is the changelog for the 2.8.0 version:
--- version 2.8.0
* added support for dynamic input
hi Santosh,
as I can see, the first rule (SingleWithScript) employs the 'event' action
for creating a synthetic event which apparently serves as an input for the
second rule. For creating a synthetic event, a prefix "Suppressed Alert"
will be added to the original input line. Unfortunately, this c
Hi Alberto,
Yes, it can be done, and there is a relevant example in sec rule repository
(see the "parsing-json" subdirectory). Also, Q22 in sec FAQ provides a
reference to this example.
Hope this helps,
risto
T, 10. juuli 2018 09:38 Alberto Corton kirjutas:
> Hi,
>
> We have some logs encoded
hi,
today, sec-2.8.alpha2 has been released which adds support for dump files
in json format. The new version can be downloaded here:
https://github.com/simple-evcorr/sec/releases/download/2.8.alpha2/sec-2.8.alpha2.tar.gz
kind regards,
risto
---
in the file for both troubleshooting
> and monitorization.
>
> Regards,
>
> El 04/06/18 a las 13:42, Risto Vaarandi escribió:
>
> Hi Alberto,
>
>
>
> That’s an interesting idea. Just out of curiosity – would you mostly need
> JSON format for easier processing of performa
7;t need to
exist throughout the execution of the entire action list. As for 'delete'
action, the context that is deleted does not necessarily need to exist, and
if it is not there, 'delete' is no-op (you would see a debug-level message
in the log about the missing context, though).
hi Przemysław,
for addressing this problem, you could divide it into several independent
subtasks:
1) memorize the mapping from msgid to username, so that each mapping would
exist for a certain amount of time
2) when a bounce event appears in the log, generate a synthetic event for
the bounce, so
Hi Alberto,
I see your point. I’ll look into the code what might be the best options for
implementing this functionality.
Kind regards,
risto
From: Alberto Corton [mailto:acor...@s21sec.com]
Sent: Monday, June 04, 2018 3:45 PM
To: Risto Vaarandi ;
simple-evcorr-users@lists.sourceforge.net
consume the data programmatically.
Regards,
El 21/05/18 a las 12:29, Risto Vaarandi escribió:
hi all,
today, sec-2.8.alpha1 has been released which is the alpha version preceding
2.8.0. The new version supports several new features, including dynamic input
files, signal emulation, and several
hi all,
today, sec-2.8.alpha1 has been released which is the alpha version
preceding 2.8.0. The new version supports several new features, including
dynamic input files, signal emulation, and several new actions. Here is the
full changelog:
* added support for dynamic input files, and 'addinput'
hi Eli,
it is indeed not very efficient to recreate the KEEPALIVE context on every
syslog message which comes in. Also, this approach has another drawback --
suppose sec needs to be shut down for a short maintenance, and one of the
hosts stops sending messages while sec is down. When maintenance e
hi Alberto,
one can of course address this question with simply using "report
EVENT_STORE tail -n 3" which would output three last events, discarding all
previous ones.
However, this solution is not general enough, because sometimes one might
want to implement a counting operation where the contex
hi Eli,
if you have a large rule set that is stored into one file, you can start
with grouping rules by application/source types that produce messages. For
example, if you have rules for entirely different applications like sshd
and Oracle, it usually makes sense to store rules for such applicatio
. This is breaking things on
> SEC side for auto closure of alerts.
>
> Same events from devices are copied to Splunk too and missing events
> appeared there.
>
>
>
> Regards,
>
> Inderjeet
>
> +91-9971183748 <+91%2099711%2083748>
>
>
>
>
&g
Hi Inderjeet,
A quick question - are events missing from the file which serves as an input
for SEC (in other words, the file which is provided with the -input command
line option to SEC)? If so, is this file produced by syslog-ng?
Kind regards,
risto
From: Inderjeet Singh [mailto:inder...@qti.
nd flexible (you could include
> or ignore symlinks as your wish, for example).
>
> The only caveat I see for the new action is the minimum 60 second delay
> when used in a calendar rule. In the past we have struggled with running
> rules at periodic, shorter intervals.
>
> Regar
questions about what you have mind. If periodic re-evaluation
> of the input file pattern is to be avoided for the reasons you provided I
> guess that these new actions are not intended to be run via a Calendar
> rule. Or are they?
>
> Also, would they work with glob patterns, as
hi all,
in the past, there have been several questions in the mailing list about
support for input file names with variable parts (such as timestamps).
While this question can be addressed with setting up a constant symbolic
link to input file, this approach does not work for platforms which don't
hi Roni,
there are three ways how this problem can be tackled. If your events
contain timestamps, the simplest solution is to extract a timestamp from
event and set a match variable for holding the timestamp. For example, if
events always have a numerical timestamp as a prefix, you could use the
f
hi Andrew,
in his e-mail, John has already provided several scenarios for changing the
system state from SEC. One of the examples John has outlined involved
changing firewall rules and I've done that as well in the past. To provide
more examples, Markus Kont released his SEC attack detection rules
2018-02-12 11:54 GMT+02:00 Jaren Peich :
> Hi,
>
> Thanks again for your response.
>
> The first doubt i still can´t understand. I just solved adding a rule like
> this and it starts processing.
>
> type=Single
> ptype=SubStr
> pattern=SEC_STARTUP
> context=SEC_INTERNAL_EVENT
> desc=init Signal
>
2018-01-31 16:13 GMT+02:00 Jaren Peich :
> Hi,
>
> Thanks again for sharing your work, i was testing and studying a little
> bit and firstly i could not use as it comes because in SEC 2.6.2 and
> Strawberry Perl 5.14.3.1 are not supported. Then i rewrite the code a
> little bit for using it . Comm
hi all,
sec rule repository has been updated with new rules for Xymon:
https://github.com/simple-evcorr/rulesets/tree/master/xymon
I would like to thank Andy for sharing them with other sec users :-)
kind regards,
risto
2018-01-26 15:59 GMT+02:00 Risto Vaarandi :
> hi Andy,
>
> ca
t; pattern = ^reload
> action = lcall %r ABRT -> ( sub { Sec2Xym::fake_signal_handler(@_) } );\
> if %r ( logonly %r )
>
>
> ###
>
> I am happy to share these snippets in full if anyone is inte
hi Jaren,
I can see that your rules are trying to emulate process control via UNIX
signals which are missing on Windows/Strawberry platform. However, I would
*not* recommend to call functions like read_config() directly, since in sec
source code they are executed with a number of additional surrou
hi Kamil,
for fetching the content of the context event store, you can take advantage
of the 'copy' action which assigns the content to an action list variable.
For example:
action=copy CHANNEL_ON_$1 %content; write /var/log/errors error on stb $1
at channel %content
Please note the following ca
hi Kamil,
since you want to count 'bar' events without having any particular time
constraint imposed for counting, this task can be accomplished without rules
that involve event correlation with a specific window (such as
SingleWithThreshold). In my opinion, it is best to use simple Perl-based
hi all,
sec-2.7.12 has been released which fixes a bug in the context expression
parsing routine. Due to this bug, exclamation mark was not accepted in the
middle of context name operands, and therefore it was not possible to use
named match variables like $+{a!b} in context names. The new version
hi Roni,
in the case of SingleWithThreshold rule (and other counting rules), variables
in the 'action' field are indeed substituted when the first matching event
appears and the counting operation is initialized. One reason for this is the
following -- not all event correlation operations execu
hi all,
couple of months ago, a question about reading utf16 log files came up in
the mailing list. While perl's utf8 IO layer can be easily activated by
setting PERL_UNICODE environment variable for sec, there is no similar
support for utf16. In order to help the users to address this problem, I
hi Joanna,
that is an interesting question which has been discussed before in the
mailing list. You can find some past threads here:
http://sourceforge.net/mailarchive/message.php?msg_id=26661175
http://sourceforge.net/mailarchive/message.php?msg_id=26662612
Although sec does not support timestam
2017-08-05 18:15 GMT+03:00 Risto Vaarandi :
> hi Stuart,
>
...
>
> For initializing the %arrayid_to_lnn hash, I have used the following rule
> from one of your previous posts:
>
> # Global variables
> type=Single
> ptype=SubStr
> pattern=SEC_STARTUP
>
wn' or 'cspawn' if it's
possible?
>
>
> Am beginner and I would appreciate your help! Thank you for your time.
>
>
> Thanks is advance,
>
> Joanna Christou
>
>
>
>
>
>
>
> From: Risto Vaarandi
> Sent
hi Stuart,
I have tried out your ruleset with the test event you have provided, with
/home/tocops/.tocpipe replaced with - (standard output). I have found no
issues with the ruleset and it works as expected:
sec --conf=stuart.sec --input=- --intevents
SEC (Simple Event Correlator) 2.7.8
Readin
>
> I create a rule which uses %arrayid_to_lnn to translate Array ID into LNN
>
>
>
> # Handle Isilon node down messages
>
> type=SingleWithSuppress
>
> ptype=regexp
>
> pattern=T(\d\d:\d\d:\d\d)\-\d\d:\d\d (.*?) .*gmp.info.c.* group change:.*
> (node \d+ drive \d+ changed to up)
>
> desc=Drive Rec
2017-08-04 15:15 GMT+03:00 Stuart Kendrick :
> I want a mental model for how to sec identifies variables in a config file.
>
>
>
> Here for example, I want to save some typing in my rules by creating a
> variable containing a string. In this example, I spend a lot of time (in
> the rules) writing
e the same effect.
hth,
risto
2017-08-03 22:46 GMT+03:00 Risto Vaarandi :
>
> 2017-08-03 16:40 GMT+03:00 Stuart Kendrick :
> ...
>
>>
>>
>> But this is fine – a classic challenge, which sec is prepared to meet.
>>
>>
>>
>> So, I created a glo
2017-08-03 16:40 GMT+03:00 Stuart Kendrick :
...
>
>
> But this is fine – a classic challenge, which sec is prepared to meet.
>
>
>
> So, I created a global hash using SEC_STARTUP / SEC_INTERNAL_EVENT
>
>
>
> # Global variables for Isilon
>
> type=Single
>
> ptype=SubStr
>
> pattern=SEC_STARTUP
>
hi Joanna,
while SEC can be easily configured to run in UTF-8 mode by setting the
PERL_UNICODE environment variable, this approach apparently does not work
for UCS-2. One can of course manually add 'binmode' statements for UCS-2
files into SEC code, but doing it just for input files is not enough,
hi Stuart,
you are on the right track and the PerlFunc pattern in your rule properly
maps the integer into a string. As explained in the documentation section
of different pattern types (see http://simple-evcorr.github.io/man.html#lbAG),
return values from the PerlFunc pattern function initialize
hi Peter,
I did more testing on Centos7 and was able to run into the same issue.
Unfortunately, this problem reappeared once even with "SendSIGKILL=no"
setting :-( It appears that a similarly looking bug has been reported
before for an earlier version of systemd, but that was a while ago:
https://b
hi Peter,
that is an interesting problem. Let me ask the following question -- is the
restart done via system init script? If so, the behavior you are observing
might be caused by the init script -- it initially sends a TERM signal to
the sec process which is then followed by KILL, since the proces
hi all,
since 2001, SEC mailing list service has been provided by SourceForge,
with the list archive being publicly searchable
(https://sourceforge.net/p/simple-evcorr/mailman/simple-evcorr-users/).
Few days ago I received an e-mail from SourceForge that all their
mailing lists will be rearranged
and it is working
> properly, i didnt see any incovenience.
>
> Thank you so much Risto!.Regards!.
>
> 2017-06-08 17:18 GMT+02:00 Jaren Peich :
>>
>> Hi,
>>
>> Thank you Risto! I was still blocked. I test it tomorrow and i´ll tell.
>>
>> Regards.
hi Jaren,
I would recommend to divide the task into two parts:
1) normalization of log messages and the creation of one synthetic
event from three raw log events
2) writing a thresholding rule for synthetic events generated during step 1
As I understand from examples, each incoming e-mail generat
hi all,
I have updated the SEC FAQ with an entry about integration with systemd:
http://simple-evcorr.github.io/FAQ.html#21
This entry describes scenarios for running both one and multiple SEC
instances, and provides an example how to run several instances with
different user permissions and umas
hi Dusan,
the post you are referring to originates from 2012 when the most
recent sec version was 2.6.2. This version didn't indeed have support
for looping in action lists. While 2.7.X versions do not have a
specific action for regular expression based filtering of context
names, it can be done i
hi James,
you are seeing this error message because many Perl regular expression
language flavors do not allow negative lookbehinds which match
variable number of bytes. In your expression, you have a list of
branches where each branch matches a different number of bytes (for
example, "lt" matches
2017-03-29 18:15 GMT+03:00 James Lay :
> On 2017-03-28 15:09, Tom Damon wrote:
>
> Hi,
>
> I'm new to the list, so my apologies if this isn't the appropriate
> place for this question.
>
> I'm trying to use the following rule to send an email formatted in a
> particular way. Usually, '\n' works
hi Tom,
backslash sequences are not interpreted in sec actions, but you can
use builtin action list variables instead. In order to insert the
newline character into the 'pipe' action string, use the %{.nl} action
list variable. You can also refer to it as %.nl, but since in your
case letters would
sec on it.
>
> James
>
>
> On 2017-03-17 11:23, Risto Vaarandi wrote:
>>
>> hi Todd and James,
>>
>> if I may, maybe I can adjust the previous expression just a little a bit:
>>
>> \/\/([^\/.]+\.)*(?!net\/|org\/)[^\/.]+\/\S+\.php\?id=[0-9
Thanks, Todd -- I am happy that you like sec :-)
risto
2017-03-17 18:50 GMT+02:00 Todd M. Hall :
> Risto,
>
> Good to know, thanks. And while I've got your attention I'd like to thank you
> for an awesome program and for all of your hard work.
>
>
> On Fri, 17
hi Todd and James,
if I may, maybe I can adjust the previous expression just a little a bit:
\/\/([^\/.]+\.)*(?!net\/|org\/)[^\/.]+\/\S+\.php\?id=[0-9A-Za-z]{8}
Maybe I can also explain some key components:
\/\/ -- match two slashes
[^\/.]+ -- match a sequence of characters which are neither sl
Hi Todd,
Since SEC is written in Perl, it uses Perl's regular expression engine, and
therefore supports all regular expression features that are supported by the
underlying Perl version. Since SEC requires perl 5.8 or later which all have
lookaheads and lookbehinds, they can also be used in rule
hi Alberto and James,
can I share this file in sec rule repository at GitHub? It contains not
just rules, but few other resources as well:
https://github.com/simple-evcorr/rulesets/
The vim syntax file would nicely fit there :)
kind regards,
risto
2017-02-10 9:07 GMT+02:00 Alberto Corton :
> Th
hi all,
sec-2.7.11 has been released which is available from Github and SourceForge:
https://github.com/simple-evcorr/sec/releases
http://sourceforge.net/projects/simple-evcorr/files/sec/2.7.11/sec-2.7.11.tar.gz
Here is the changelog for the new version:
* added support for the --user, --group a
2017-01-31 6:35 GMT+02:00 David Lang :
> On Mon, 30 Jan 2017, Risto Vaarandi wrote:
>
>> I am also considering raising the default value for the --blocksize
>> option (it is currently 1024 which means that sec attempts to read
>> from input files by 1KB blocks). Are the
hi all,
I am working on the next sec release and would like get some feedback
from end users, since I've implemented some changes in the beta code
of the next release.
Previous versions of sec have ignored the PIPE signal in specific
parts of the code (such as functions which write to tcp and udp
hi Dusan,
the use of 'getwpos' is probably the best way to accomplish this task.
As an alternative, one could check sec internal data structures, but
it is more complex and makes the rules less readable. Since 'getwpos'
assigns the beginning of the event correlation window (as seconds
since epoch)
ke my complex rule-set to
> work in way I want.
>
>
> Thanks & Best Regards,
>
> Dusan
>
> ------
> *Od:* Risto Vaarandi
> *Odoslané:* 31. decembra 2016 10:51
> *Komu:* Dusan Sovic
> *Kópia:* simple-evcorr-users@lists.sourceforge.net
hi Dusan,
you have asked an excellent question. Behavior you are seeing is
actually something expected, since pattern match caching is done after
a successful RegExp pattern match, but *before* the 'context' field of
the rule definition is evaluated. It is also discussed in the
documentation of th
ters on input pipe -, closing the pipe". Also, have you tried
sending the USR1 signal to the sec process? There is a section in this file
which describes the state of inputs. Is standard input reported as open?
kind regards,
risto
>
> Thanks
> Martín
>
>
> 2016-1
hi Martin,
it could be that sec is not able to find the 'mail' program, since the
directory where 'mail' resides is not in the search path.
What happens if you try absolute path, e.g., /usr/bin/mail -s '%s'
somem...@somedomain.com?
kind regards,
risto
hi i configured a rule on sec , that is feeded
2016-12-22 16:41 GMT+02:00 Martin Etcheverry :
>
> Hi , everyone! i have a little problem with rsyslog sending events to sec.
>
> part of my config in the *rsyslog.conf* is ;
>
> $ModLoad omprog
>
> $ActionOMProgBinary /usr/local/bin/sec.sh
> *.* :omprog:
>
>
> my *sec.sh* is
>
> exec /usr/local/
hi Martin,
first of all, I would definitely recommend to have a look into the SEC
official documentation, since the section for PairWithWindow rule contains
an example which is closely matching your scenario (
http://simple-evcorr.github.io/man.html#lbAP).
Nevertheless, the following rule addresses
s
assigned to the %ret action list variable which gets return values
from the functions? Since each successful 'print' statement returns 1,
the %ret variable will be set to 1 in all three cases (provided that
the functions didn't experience any issues with printing to standard
output).
I
> Which is the difference between eval and lcall?
'eval' will compile the code before *each* execution. This has the
advantage of using match variables and action list variables directly
in the code:
action=assign %test mystring; eval %o ( print "%test", "\n" )
For example, the above action list
> rem = Rule 3
> type=SingleWithThreshold
> ptype=RegExp
> pattern=Email:(\S+)
> desc=Three messages from the same sender $1
> window=21600
> thresh=3
> action=copy Email_$1 %loggi;lcall %o %loggi -> (sub{\
> my($logginput) = split(/\n/, $_[0]);\
Call to split() will split a scalar into a list by
>
> I have another question. How can i delete all context from a specific alert?
> or specific context using regex from context hash?
>
For regular expression based context deletion, you have to access the
main::context_list hash table in the sec code. In this hash table,
context names server as k
Is my understanding correct that you would like to add new dynamic
input sources (something which are not defined in commandline), after
a specific event has been observed?
If so, I would recommend to use spawn or cspawn action. For example,
you could run the following action when a matching event
hi,
in fact, SEC official documentation
(http://simple-evcorr.github.io/man.html) has a relevant example in
the introductory section together with an in-depth discussion. This
example concerns SSH login failures and you probably need to adjust it
to cover your scenario.
kind regards,
risto
2016-12
02 16:41 GMT+02:00 Jaren Peich :
> Hi Risto,
>
> I add you a diagram of what i want.
>
> https://drive.google.com/file/d/0BzGAeQ7Jnta6VW1GSHYzd21JMmc/view?usp=sharing
>
> I decide to do during sec correlation but i´m seeing its quite difficult.
>
> Regards.
>
>
hi Jaren,
as I understand from your rule example, you would like to modify the
same input file from sec which is also monitored by sec? If so, I
wouldn't recommend it.
Firstly, sec is not only monitoring the content of the file but also
its attributes, in order to detect situations when file is ro
..forgot to mention that the ruleset example from my previous e-mail
assumes the use of --intcontexts command line option ('cevent' action
needs this).
regards,
risto
2016-11-19 1:24 GMT+02:00 Risto Vaarandi :
> hi Nikolay,
>
> hopefully my e-mail is not too confusing, but I
hi Nikolay,
hopefully my e-mail is not too confusing, but I've played a little bit
with linux auditd logs today and checked their format. At least on my
laptop, it appears that the messages are always consecutive. In other
words, the messages with the same timestamp and eventID (the value
that is
opped from both rules, since
named match variables can be easily created from regular expressions
in 'pattern' fields (like it is done in 'pattern2' fields).
kind regards,
risto
2016-11-16 19:38 GMT+02:00 Risto Vaarandi :
> hi Nikolay,
>
> the Eventgroup3 rule that you have
hi Nikolay,
the Eventgroup3 rule that you have written might not be the best
option for addressing this task, since it has been designed for
scenarios where events can appear in arbitrary order. However, in the
case of auditd records the three events should always have a fixed
order: SYSCALL, CWD,
Hi Stuart,
The reason you are not seeing sec debug-level messages in syslog files
might be the following -- these messages are logged with the syslog 'debug'
severity, but on many distributions such messages are not written to any
log file by default. For example, many Linux distributions log debug
ppending locations to the environment variable ie
>
> Export SECRC=$SECRC:/etc/sec/secrc:/etc/sec/secrc2 ...etc
>
> And if we did that, how would each instance of sec know which path to use for
> its resource file..?
>
> Thank you
>
>
>> On Oct 4, 2016, at 11
hi,
when a sec process reads its resource file, *all* options from the
resource file are appended to its command line options (comment lines
and whitespace lines are excluded from consideration). Therefore, when
you start several sec instances with the same resource file, each
instance has identica
shmids' set to '52364
>> 52365
>> 52366'
>> Calling code 'CODE(0x2927f34)' and setting variable '%o'
>> C:\log.log
>> >Vuelta
>> Use of uninitialized value $main::SEC::midcont[0] in string at (eval 4)
>> line 1, l
2016-10-04 14:55 GMT+03:00 Jaren Peich :
> Hi,
>
...
> %pmid=%{ $_[0] };\
> @midcont = values %pmid;\
Since $_[0] is a string which contains values separated by newlines, I
would recommend to replace the previous two lines with the following
line:
@midcont = split(/\n/, $_[0]);
>
> I don´t kno
t;$lmid\n" if defined($mid);\
> if ($mid == $lmid){\
> my ($username, $domain) = $email =~ /(.*)@(.*)/;\
> print "\nDOMAIN FINDED===>$domain\n";\
> unshift(@arraymids, $domain);\
> }\
> }\
> }\
> }\
> if($arraymids[0] eq $arraymids[1] && $
2016-09-30 12:20 GMT+03:00 Jaren Peich :
> Hi Risto,
>
> I have a little doubt that i haven´t seen in the documentation.
> I want to detect and keep some data from the logs and then read the context
> again and extract this data to process this info throught a perl function.
>
...
> action = eva
hi Jaren,
is your ruleset not functioning as expected, and what is the exact
problem you are currently having with this ruleset? Since you haven't
mentioned what is the expected outcome from these rules and what the
current implementation is missing, it is somewhat hard to troubleshoot
the rules.
k
strawberry perl doesn´t load all paths.
>
> Thank you!.Regards.
>
> 2016-08-28 11:39 GMT+02:00 Risto Vaarandi :
>>
>> hi Jaren,
>> I noticed that sec has been started with the --notail and --fromstart
>> options. This means that sec reads the input file from the begin
;t
simply loaded with the ABRT signal?
kind regards,
risto
>
>
>
> Thanks,
>
> Shashi
>
>
>
> From: Risto Vaarandi [mailto:risto.vaara...@gmail.com]
> Sent: Thursday, September 08, 2016 2:27 PM
>
>
> To: Ganji, Shashirekha Yadav
> Cc: simple-ev
gs/sec-messages.log
>
> window=86400
>
>
>
> In this case,message is getting logged as Research pattern indicating SEC
> did process the event.
>
>
>
> Thanks,
>
> Shashi
>
>
>
> *From:* Risto Vaarandi [mailto:risto.vaara...@gmail.com]
>
ion2=shellcmd echo `date` "Source=SEC, KpiName=Network, Severity=-,
> Action=Suppress, Device=$1, Pattern=$3, Notify Group=-, Log $0" >>
> /local/mnt/workspace/logs/sec-logs/sec-messages.log
>
> window=3600
>
>
>
> Thanks,
>
> Shashi
>
>
>
hi Shashi,
there appears to be a subtle difference between the regular expression and
the event you are trying to match. When you take a closer look at the
regular expression, you will notice that it contains the following fragment:
%SATCTRL-FEX101-2
However, the event from the log file contains
t;
>
> I don´t know how to maintain the rule or context window alive till it
> finish and write and detect that is not writing. Also is it posible to know
> how many files is going to read when you use a "regex" as an input?
> example:-input=c:\*.log
> If you can calculat
2016-08-23 11:25 GMT+03:00 Jaren Peich :
> Hi,
>
> I have tested on windows server 2008 + Strawberry perl and it is not
> working as expected because it doesn´t run script option.
>
These options should be supported on windows. How have you specified them
on command line and have you checked sec
101 - 200 of 907 matches
Mail list logo
