hi Shashi,
there appears to be a subtle difference between the regular expression and
the event you are trying to match. When you take a closer look at the
regular expression, you will notice that it contains the following fragment:
%SATCTRL-FEX101-2
However, the event from the log file contains
Hi All,
Is there any problem in this rule??
Rule was all working good but suddenly stopped working by not matching the
first pattern.
## Rule: 30(Nexus Extender power supply) Environment alert regarding power
supply failure `It will suppress alarm if power supply recovers within an hour
ty
My bad ,sent the wrong rule.
Here is the correct SEC rule that I have in production.
type=pairWithWindow
ptype=regexp
continue=dontcont
pattern=Date=.* ,Device=(\S+)
,Msg=.*%((SATCTRL-FEX1[0-9][0-9]-2-SOHMS_DIAG_ERROR:).*power supply (\d):
failed.*)
desc=$1 $3 $4
action=shellcmd perl /etc/syslo
hi Shashi,
I tested the rule quickly against the following input line that you
provided in your previous post:
Date=Sep 8 08:12:30 ,Device=san-w170-dcr-sw-02-mgmt ,Msg=2016 Sep 8
08:12:30 PDT: %SATCTRL-FEX107-2-SOHMS_DIAG_ERROR: FEX-107 System minor
alarm on power supply 2: failed
In my quick
Risto,
Thanks for your inputs. I have setup SEC such a way that if the pattern does
not match any of the rules,it will be logged against last rule as below:
## Rule:32
## Last Updated At: 2014-08-22T16:38:01.061Z
## A catch all rule that is used for researching new patterns
type=singleWithSuppr
hi Shashi,
are all your rules in the same file, and is the event a single-line event
that doesn't contain any newlines? Since the event matching process depends
on the order of rules, and rules can be skipped with continue=goto
statements, seeing the entire rule file would be helpful. Also, have yo
Hi Risto,
Sorry for answering late. I was on holidays.
I want to precalculate how many files is going to open sec and compare with
a number of files that we think that sec should open and validate the input
paths because sometimes sec with strawberry perl doesn´t load all paths.
Thank you!.Regard
Risto,
Yes,all the rules are in the same file and when I tried running the whole file
as configuration file and provided just a dummy file that had the exact
event,it still works.
Pattern gets logged as Research pattern only when it is running as daemon.Just
thinking if there is a possibility
Risto,
Yes,all the rules are in the same file and when I tried running the whole file
as configuration file and provided just a dummy file that had the exact
event,it still works.
Pattern gets logged as Research pattern only when it is running as daemon.Just
thinking if there is a possibility
