hi Mark,
you can't use %alnum variables in patterns - these
variables are accessible only from action lists.
However, there is a much simpler solution to the
problem you have. Provided that you want to get an
e-mail message for
1) a user logout (QUIT message),
2) N seconds have elapsed since the
Any possibility in allowing a %alnum variable in a
calendar rule?
No, unfortunately that is not possible - %alnum
variables are for use in action lists only, and they
are evaluated when the action list is executed. If you
would like to have variable times for Calendar rule,
you can achieve
Joe Carvalho wrote:
I've recently picked up working on Prelude/Prewikka and SEC, it's
been a few years.
I've seen some msgs that sec integration is no longer part of the
Prelude tree.
Is anyone still using it as the correlation engine?
Joe,
If you meant to ask whether SEC is still
Pedro Martin wrote:
Hi,
Is there a way to use sec feeding variable thresholds to the rules in
the config files?
There are some processes that we are monitoring using the control
chart algorithm. This algorithm takes the data in a given time window
and calculates its mean and its
Risto, is there something we can do to 100%
guarantee nullify the
effects of shell metachars by using built-in escaping or
similar in Sec?
I think this is worthy of a feature request to reduce the
likelihood
that there could be a log analysis attack on/through Sec
itself through
Tim Peiffer wrote:
I am using a calendar event to summarize multicast traffic on campus and
look for bandwidth anomalies. The output is checked for things like
excessive multicast SDP announcements (Plug and Pray). If run from
command line, the exit status is always 0. If run as part of
hi all,
I've released SEC-2.5.beta1 that you can download from:
http://prdownloads.sourceforge.net/simple-evcorr/sec-2.5.beta1.tar.gz
The new version introduces a number of changes. First of all, two new
rule types have been introduced (that has not happened since the 1.1
version :). The Jump
hi all,
does anyone have comments on the new release?
Since it's the first beta, things are still open now and changes can be
made.
br,
risto
Risto Vaarandi wrote:
hi all,
I've released SEC-2.5.beta1 that you can download from:
http://prdownloads.sourceforge.net/simple-evcorr/sec-2.5.beta1
Another change concerns the 'continue' parameter of rules -- it now
accepts GoTo label for its value. Also, goto labels can be set up with
the 'label' keyword in configuration files.
Is the label scoped to a single file, or can I put a label in a
different file and have it continue in
Ralf Schmitt wrote:
Tim,
thank you ... 'keys %main::context_list' is exactly what I need and your
example helped me to understand the usage.
Regards,
Ralf Schmitt
hi Ralph,
I'd propose another solution to your problem. If all you want to do is
to count unique IP addresses,
From: John P. Rouillard rou...@cs.umb.edu
Subject: Re: [Simple-evcorr-users] Best Documentation from Jim Brown lost
To: simple-evcorr-users@lists.sourceforge.net
Date: Thursday, December 11, 2008, 8:10 PM
In message 49415355.6090...@googlemail.com,
Hari Sekhon writes:
Hans-Joerg Wagner
hi all,
I have released SEC-2.5.beta2 that can be downloaded from:
http://prdownloads.sourceforge.net/simple-evcorr/sec-2.5.beta2.tar.gz
Here's the official changelog:
--- version 2.5.beta2
* added support for the Jump and Options rule.
* starting from this version, the 'continue' parameter
the new feature into the 2.5.0 release.
br,
risto
John P. Rouillard wrote:
Hi all:
In message 496c914c.2020...@seb.ee,
Risto Vaarandi writes:
I have released SEC-2.5.beta2 that can be downloaded from:
http://prdownloads.sourceforge.net/simple-evcorr/sec-2.5.beta2.tar.gz
I have enclosed
Thomas Wollner wrote:
Hello List,
Thomas,
if you would like to use an external file in a fast manner, here is a
solution (note that I just did a couple of tests with it, so there might
still be some typos):
type=Calendar
time=* * * * *
desc=Reload the lookup file
context= - ( sub { if
hi all,
SEC-2.5.0 is out now and is available at:
http://prdownloads.sourceforge.net/simple-evcorr/sec-2.5.0.tar.gz
It implements all the features of 2.5.beta2, plus logging level change
via SIGINT change suggested by John Rouillard. Here I'd like to use the
opportunity and thank John for both
Michael Andrus wrote:
On Fri, Feb 27, 2009 at 9:59 AM, Michael Andrus cen...@centyx.net wrote:
I've tried doing 'tail -f /var/log/secure /tmp/sec' and
am receiving the same results. The test event ( I am generating this event
myself by failing a
SSH login repeatedly ) is triggered by
Honia,
are you running SEC in the daemon mode (with the -detach option)? If so, all
scripts in your rule files *must* be specified with full path names, since in
the daemon mode SEC changes its working directory to /.
Also, have you activated logging for SEC with the -log option? If so, what
A quick question -- did you save the foobar string into your input file
_before_ starting SEC? SEC does not read in already existing lines by default,
but rather jumps to the end of the file and waits for new lines to arrive. Try
to start SEC first and then type 'echo foobar yourfile' -- does
John P. Rouillard wrote:
In message
c732ce1bf9f5f3478b35dc5f352491294b216cc...@frspx100.fr01.awl.atosor
igin.net,
Conway Allen writes:
2. substr match and $0
Isn't it sufficient to just do @($subst_ref) = ($line) in match_substr?
Well to assign the $0 token I think you are right. But
Conway Allen wrote:
Risto, thanks - I either missed the all-important section first time round or
failed to grasp its signicance - or both.
So I now know how to create perl variables and how to manipulate perl objects
from within SEC. Cool!
As for the other matters I brought up.
1.
Joe Prosser wrote:
Hi Folks,
I'm trying to set up a separate ruleset to only match jumped events.
I have this entry in the top of that set's pattern file:
type=Options
procallin=no
joincfset=derive-rules
sec.pl complains on startup with:
/opt/SEC/derived_patterns.sec line 2: Invalid
Jeroen Scheerder wrote:
Bottom line- I don't think it's possible. But others may have a
better idea...
Thanks again. I think it's tricky, but am not yet convinced it's
impossible and will try to experiment a little. If I do, I just might
be able to add an use timestamp from
Michael Hale wrote:
Hello,
I was wondering if there was a way to alarm if a certain output is NOT
seen after a certain amount of time.
For example, I have a logfile which lists transaction processing - I
want to alarm when nothing is written to that file for a certain
amount of
Michael Hale wrote:
Hello,
...
BTW, are there searchable archives of this mailing list available? It
doesn't appear the SourceForge archives for this list allow searching?
...and your second question - I am missing the search feature, too, I
don't know why it has not been implemented,
From: Peter Kravtsov pe...@facebook.com
Subject: [Simple-evcorr-users] Threshold rules based on regexp count of a
matched keyword
To: Simple-evcorr-users@lists.sourceforge.net
Simple-evcorr-users@lists.sourceforge.net
Date: Thursday, April 16, 2009, 9:04 PM
Threshold rules based on
--- On Sat, 4/18/09, Aashish Sharma aash...@uiuc.edu wrote:
From: Aashish Sharma aash...@uiuc.edu
Subject: [Simple-evcorr-users] Output of context to a script
To: Simple-evcorr-users@lists.sourceforge.net
Date: Saturday, April 18, 2009, 12:55 AM
Hello:
Is there a way I can send the
--- On Tue, 4/21/09, Michael Hale mh...@transcomus.com wrote:
From: Michael Hale mh...@transcomus.com
Subject: Re: [Simple-evcorr-users] is there a way to alarm when input is NOT
seen after a certain amount of time?
To: Risto Vaarandi risto.vaara...@seb.ee
Cc: simple-evcorr-users
hi Tim,
I will look into this and check whether it is something that can be
implemented without larger issues.
best regards,
risto
Tim Peiffer wrote:
May I have a feature check or request for SEC ?
I would like to use the '/' in a calendar time and date fields to make
it compatible with
From: Mills, Rocky rx4...@att.com
Subject: [Simple-evcorr-users] Logpp and SEC input sources
To: simple-evcorr-users@lists.sourceforge.net
Date: Wednesday, April 22, 2009, 2:23 AM
Risto, Anyone,
I was considering counting various string matches using SEC
across
numerous (over
hi Hari,
after reading your mail, my first impression is that it shouldn't (and
actually, couldn't) be something that is built into SEC. SEC output
actions are currently very generic ones and they are not restricted to
doing something with lines that the pattern matched (i.e., the value of
$0
--- On Mon, 4/27/09, Hari Sekhon hpsek...@googlemail.com wrote:
From: Hari Sekhon hpsek...@googlemail.com
Subject: Re: [Simple-evcorr-users] Tracking down alert matching
rules/Color/Bold
To: Risto Vaarandi risto.vaara...@seb.ee
Cc: 'simple-evcorr-users@lists.sourceforge.net'
simple
From: Keith E. Lehigh kleh...@iupui.edu
Subject: [Simple-evcorr-users] Questions about Jump rule processing
To: simple-evcorr-users@lists.sourceforge.net
Date: Saturday, May 9, 2009, 10:14 PM
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
I have a couple questions regarding the
Tim,
I have finally had enough time to have a look at the code, and this change is
easy to implement. I completely agree that it is a useful feature, since it
allows for shorter notation of times. Therefore I'll try to release a separate
version soon that has this feature built in.
In
Gabriele Giorelli wrote:
hi
in rules I have:
action=pipe '$0' /usr/bin/mailx -s '[SEC] An error occurred' a...@acme.com
how to include the hostname in the subject to read:
action=pipe '$0' /usr/bin/mailx -s '[SEC] An error occurred on jupiter'
a...@acme.com
thank you
try the
uwe.ri...@ruv.de wrote:
Hi,
I am new to SEC.
I like to run a monitoring script every 5 min wit calendar rule:
# call monitorscript
type=Calendar
time=5,10,15,20,25,30,35,40,45,50,55 * * * *
desc=TESTMON
action=spawn /opt/local/eventscripts/TESTMON.cmd
Alberto,
with the current major release of SEC, only constant values are supported as
threshold values for thresholding rules. One reason for this is that each
thresholding rule could start many event correlation operations that do the
event counting. If the threshold value is a variable, it
Hayward, Ben wrote:
Hi List,
I have a challenge to have SEC trigger upon log NOT having a current
time stamp
on the file. The challenge is that the application sometimes hangs, NOT
writing
to log. I suppose I could look for current time stamp in last log line?
Any help from the
From: uwe.ri...@ruv.de uwe.ri...@ruv.de
Subject: [Simple-evcorr-users] SEC for use with monitoring
To: simple-evcorr-users@lists.sourceforge.net
Date: Thursday, June 4, 2009, 5:41 PM
Hello,
I am trying to use sec.pl to handle the monitoring
-run the monitoring script every minute,
hi all,
SEC-2.5.2 has been released and is available at:
http://prdownloads.sourceforge.net/simple-evcorr/sec-2.5.2.tar.gz
The new version adds a new feature to the Calendar rule. There are also
some improvements to the man page (including documenting a subtle
difference between Calendar and
: Tuesday, August 11, 2009, 11:39 PM
In message 36498.2499...@web33003.mail.mud.yahoo.com,
Risto Vaarandi writes:
hi John,
Hi Risto:
you are seeing this behavior, because context
expression parser
doesn't require the context name operand to contain no
spaces. I seem
to remember
May 15 04:25:10 crocus anftpd[340] retrieve private/software.tgz (failed)
add event to session_340_anftpd
create alias to session_340_anftpd called report_session_340_anftpd
10 May 15 04:25:12 crocus anftpd[340] logout
set timeout on session_340_anftpd to 1 second
This issue is related to the proper value of the 'desc' parameter in
rule definition. It has been discussed in the mailing list before many
times -- for example, the following thread might provide some insight:
hi all,
SourceForge has recently added a search function for all mailing lists
they host, including the SEC list:
http://sourceforge.net/search/?group_id=42089type_of_search=mlists
I hope you all find this feature useful :)
with kind regards,
risto
Joe,
There are no special variables for context creation times, since the context
name space is huge and would most certainly clashes between user-defined
variables. I think the best solution would be to store the context creation
time with 'add' action as the first line in the context's event
Jeff,
with the current version of SEC, you also have to provide action-on-expire for
'set' -- if only lifetime is provided, the action-on-expire will be cleared.
This issue was actually recently discussed in this list, and since there have
been no objections to changing the semantics of 'set',
On 10/07/2009 05:44 PM, Jeff Schroeder wrote:
On Wed, Oct 7, 2009 at 4:02 AM, Risto Vaarandirvaara...@yahoo.com wrote:
Jeff,
with the current version of SEC, you also have to provide action-on-expire
for 'set' -- if only lifetime is provided, the action-on-expire will be
cleared. This
On 10/24/2009 01:17 AM, Ronald San Juan wrote:
Hi,
I am using SEC v2.5. The problem I have is SEC doesn't seem to read on
lines with over 1024 characters in length. I found out that it is using
sysread() which has limitations to 1024 characters.
Although by default SEC reads by 1KB blocks
..
*From:* Risto Vaarandi [mailto:rvaara...@yahoo.com]
*Sent:* Montag, 30. November 2009 12:22
*To:* Schmid, Christof
*Cc:* simple-evcorr-users@lists.sourceforge.net; Sonderegger, Markus;
Gasser, Bruno
*Subject:* RE: SEC
On 12/09/2009 05:26 PM, John P. Rouillard wrote:
In message4b1fbe1f.3070...@umn.edu,
Tim Peiffer writes:
Risto Vaarandi wrote:
First, there is a way to implement at-like functionality dynamically
in SEC through the 'tevent' action (it's the most recently added
action that appeared
hi all,
I've released SEC-2.5.3 that includes some changes recently discussed in
the mailing list:
--- version 2.5.3
* starting from this version, the 'set' action without the action list
parameter does not clear the action-list-on-expiration for a context.
* starting from this version, a
On 12/11/2009 01:56 AM, Cedrick Kim wrote:
Can I add more than one file as input such as -input=file1 \
-input=file2 and so on. How many files can I input at once?
as many as you want -- there is no limit set in the SEC code.
BR,
risto
Thank you for your help
Cedrick
hi,
I had a quick look at the code, and the code fragment looks like follows:
if (!exists($corr_list{$key})) {
if (scalar(@{$subst})) {
$action = [];
$action2 = [];
copy_actionlist($ref-{Action}, $action);
copy_actionlist($ref-{Action2}, $action2);
How do you define a change in the trap?
br,
risto
--- On Mon, 5/31/10, Javier esj...@gmail.com wrote:
From: Javier esj...@gmail.com
Subject: [Simple-evcorr-users] Can SEC help me ??
To: simple-evcorr-users simple-evcorr-users@lists.sourceforge.net
Date: Monday, May 31, 2010, 8:15 PM
Hi,
i
it?. I
hope you can help me.
I´m still thinking that Contexts it could be a good idea, but i don´t
know how to do it.
thanks
2010/6/1 Risto Vaarandi risto.vaara...@seb.ee
mailto:risto.vaara...@seb.ee
On 06/01/2010 12:23 PM, Javier wrote:
Risto,
ok
hi Carlos,
are you using these contexts for storing data, or only as names? If they are
used only as names, you can take advantage of the 'alias' action for creating
many names for a single context, and the call 'delete' for this context once a
day that drops all names. This scheme as one
hi Ali,
it is tricky to solve this issue (and similar problems) with eval, since the
eval miniprogram will always be compiled after variable substitution. If you
want to have a more bulletproof solution, the simplest way is to use an
anonymous function instead of a miniprogram -- compile the
instead of 2A - but this behavior is not the behavior an end
user would expect. One would expect that in the event store
the context is the key, and the description is the value,
and that the value could be anything.
Thanks everyone for all contributions to SEC (especially
Risto Vaarandi
Jeff,
sorry for somewhat late answer. What is this ruleset designed for? Should it
report all SSH login failures, or rather the failures that have occurred after
the threshold has been crossed?
If you are after the second goal, I would create a context without a lifetime
in the 'action' field,
On 09/02/2010 02:27 PM, Risto Vaarandi wrote:
Sergio,
in my opinion, it would be much easier to create a single line within
the reporting script, since in the general case events must be somehow
separated from each other in the context event store. Also, the 'report'
action involves
Sergio,
in my opinion, it would be much easier to create a single line within
the reporting script, since in the general case events must be somehow
separated from each other in the context event store. Also, the 'report'
action involves an execution of a separate program which creates a lot
to see your example solutions :)
On Fri, 2010-10-01 at 19:17 +0300, Risto Vaarandi wrote:
hi Mike,
I have almost completed two possible example solutions to the problem,
but after seeing your e-mail I have an inkling I've got the problem
statement wrong :(
So far I had an impression that you
hi all,
although Perl regular expression engine is very fast, I have recently started
thinking about a new pattern type which would allow one to reuse the results of
previous matches. This would be very handy in cases where multiple rules have
exactly the same pattern. Also, one can separate
--- On Sun, 10/3/10, John P. Rouillard rou...@cs.umb.edu wrote:
From: John P. Rouillard rou...@cs.umb.edu
Subject: Re: [Simple-evcorr-users] new pattern type for SEC
To: Risto Vaarandi rvaara...@yahoo.com
Cc: simple-evcorr-users@lists.sourceforge.net
Date: Sunday, October 3, 2010, 10:25 PM
In message341229.52733...@web33008.mail.mud.yahoo.com,
Risto Vaarandi writes:
I've also been thinking about introducing optional
named fields for custom
patterns. For example, if in the first rule one writes
action=createpattern SYSLOG
HOST,PROGRAM,,MESSAGE
then the HOST, PROGRAM
On 10/07/2010 05:42 PM, Sorrell, Al wrote:
-Original Message-
snip
At this point, it seems quite likely that the new syntax will be
identical to Perl named match variables $+{name} (if I am not mistaken,
Perl supports them since version 5.10).
Would this require Perl 5.10 to run
Are you requesting this feature because you would like to change the list of
configuration files without restarting SEC? If so, then you could also take
advantage of SEC resource file which can be provided with an environment
variable.
As for changing syslog tag field dynamically for every
--- On Wed, 10/27/10, da...@lang.hm da...@lang.hm wrote:
From: da...@lang.hm da...@lang.hm
Subject: Re: [Simple-evcorr-users] New feature requests
To: Risto Vaarandi rvaara...@yahoo.com
Cc: simple-evcorr-users@lists.sourceforge.net, peif...@umn.edu
Date: Wednesday, October 27, 2010, 1:11
syslog
server).
hope this helps,
risto
--- On Wed, 10/27/10, Tim Peiffer peif...@umn.edu wrote:
From: Tim Peiffer peif...@umn.edu
Subject: Re: [Simple-evcorr-users] New feature requests
To: Risto Vaarandi rvaara...@yahoo.com
Cc: simple-evcorr-users@lists.sourceforge.net
Date: Wednesday
On 11/01/2010 11:16 PM, Risto Vaarandi wrote:
hi Tim,
here is the workaround I promised -- it works for the Linux/DGRAM-socket
systems:
type=Single
ptype=SubStr
pattern=SEC_STARTUP
context=SEC_INTERNAL_EVENT
continue=TakeNext
desc=Load the Socket module and store facility/level values
hi,
and sorry for not being able to answer yesterday :(
There is an easy explanation to the issue. The %alnum variables (which
are created by SEC actions) can only be used in action lists, while the
$num and %num match variables (created by patterns) work across
entire rule definition. However,
On 11/24/2010 12:15 AM, Tim Peiffer wrote:
On 11/17/10 3:13 PM, Tim Peiffer wrote:
I need some help in debugging a context expression. I create intercept
zones in my recursive DNS configurations in a somewhat automated
manner. Conversely, I would like to know when the zones expire, and
to
create the link.
kind regards,
risto
Regards,
Tim Peiffer
On 11/26/10 4:34 PM, Risto Vaarandi wrote:
Tim,
that's a good question. In fact, SEC uses the stat(2) system call for
checking the attributes of the log file, and the check is applied both
for the open file descriptor and file name
2010/11/28 Peter Wolfenden pwolfen...@qualys.com:
If you want to make absolutely sure to process all the log lines *and* you
are in a position to control how your backup application writes to its log
files, then it may be worth considering using multilog to send one copy of
the data to an
On 12/01/2010 03:55 PM, M Haris Farooque wrote:
dear all,
I have a very lame question to ask.
how to send data to SEC from command line. The SEC is running as daemon.
I am using a FIFO (Pipe) from SEC to write some data instantly as log
data through pipe and its working fine but I like to
On 12/03/2010 11:42 AM, M Haris Farooque wrote:
Am 02.12.2010 11:17, schrieb Risto Vaarandi:
Hello Risto,
In the begininnig No, but later Yes, I did specify
-input=/usr/local/etc/SEC_Log_Pipe. And /tmp/sec.dump also not showing
my input. here is the snapshot of sec.dump;
Program options
Am I understanding correctly that you want to write some of the data
from named pipe to an external log? Since SEC is already reading from
the pipe, it's a bad idea to start another process that reads the same
pipe, since reading removes data from pipe.
If would recommend a separate rule that
2010/12/9 Tim Peiffer peif...@umn.edu:
I am trying to use mysql table lookups to extract connector and contact
information to provide look aside for handling various correlator. Can
I assign and dereference perl arrays in the eval minicode? How do I
pass parameters from the regexp as quoted
shorter.
BR,
risto
2010/12/12 Risto Vaarandi risto.vaara...@gmail.com:
Tim,
although I can see some rationale for the secrc flag, the -title
option looks somewhat weird to me. Actually, in the UNIX world it is
common to create a hard link to a program if there is a need to run
the same
On 12/12/2010 05:34 AM, John P. Rouillard wrote:
In message4d042711.7090...@umn.edu,
Tim Peiffer writes:
First, the -title is not needed unless you can't get enough of the
command line in the buffer to see what is going on. In one case I use
Solaris 5.10, and I can't get the whole
hi folks,
today, I've released SEC-2.6.alpha1 which includes a number of new
features like the support for named match variables, variable maps,
several performance improvements and one bug fix, and finally the
EventGroup rule which allows for correlation of custom number of
_different_ events in
2011/1/4 John P. Rouillard rou...@cs.umb.edu:
Hi Risto:
In message aanlktikpqrrfg2rshokhyynl8ob9wjojmvlfdldxs...@mail.gmail.com,
Risto Vaarandi writes:
Also, I have made substantial changes to the man page and although the
overall structure is roughly the same, a lot of content is completely
On 01/13/2011 11:37 AM, M Haris Farooque wrote:
hi all,
I am getting this error *Rule in /usr/local/sec/rules/snpv.cfg at line
17: * *Invalid regular expression
On 01/21/2011 01:25 AM, Mark D. Nagel wrote:
On 1/20/2011 12:40 PM, Morris, Patrick wrote:
On 1/20/2011 11:26 AM, Morris, Christopher wrote:
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=:\d\d \S+ .*Liberty app at (\S+) (.*)
desc=Liberty at host:port $1 reporting
On 02/18/2011 01:48 AM, da...@lang.hm wrote:
I want to do a 'alert if more than X events in Y min' type of thing, but
with the resulting alert containing the logs of the X events.
I know that I can do something along the lines of
if event
add log message to context (with an expiration of
hi all,
I'd like to return to a topic recently discussed in the mailing list.
I am in the process of implementing a pattern match caching for SEC, and
it is really hard to decide which way is the best one. Currently, I have
already implemented a separate Parse rule for this purpose. For example,
hi all,
I've released SEC-2.6.0 which provides some additions to the 2.6.alpha
versions, most notably support for pattern match caching. Also, the
input status polling functions have been updated, in order to lessen the
number of system calls.
The new version is available at:
hi all,
a small note that might be interesting for some. The first public
version of SEC (1.0) was released 10 years ago, in March 23 2001.
Few facts about the 1.0 version:
- it had 3,059 lines and 75KB of code (in contrast, the latest 2.6.0
version has almost 10,000 lines and 280KB of code)
-
topic!
C.
On 23 Mar 2011, at 11:15, Eric Smith wrote:
On 03/23/2011 05:25 AM, Risto Vaarandi wrote:
I would like to thank all list members for exchanging many interesting
ideas which have supported the development of SEC. My special thanks
goes to John Rouillard for many creative
hi Miles,
in fact, your question touches nicely couple of new features of the
2.6.0 version.
With previous versions, there were several options for addressing this
question. First, you could set up two rules in the style described in
Q17 of the FAQ
On 03/25/2011 02:27 PM, Supratik Goswami wrote:
Hi
I want to extract everything with multiple lines between two markers.
I want to display everything between:
/WY_LOG_TYPE_ERROR **/
/**/
/
/
/
/
So if the text entered in the log file
/WY_LOG_TYPE_ERROR **/
in the input file, but this time the
previous 20 lines are still there in the buffer. So the regular
expression matches them also.
How can I clear the input buffer each time?
On Fri, Mar 25, 2011 at 8:32 PM, Risto Vaarandi risto.vaara...@seb.ee
mailto:risto.vaara...@seb.ee wrote:
On 03/25/2011 02
is SEC is firing the event twice. So if I set
action=logonly, its getting logged twice. If I set action=(send mail to
me), its sending two mails.
Any help will be highly appreciated.
On Mon, Mar 28, 2011 at 2:24 PM, Risto Vaarandi risto.vaara...@seb.ee
mailto:risto.vaara...@seb.ee wrote
Ludovic,
there are several ways to address the problem, but it depends what
exactly you would like to do.
Do you want to keep track of different user names, and report current
counters for all users once in X minutes, or do you rather want to send
a report for each user after the user has been
hi Rafael,
there are three kind of variables that can be used in SEC rules:
1) action list variables which are visible in action lists only (e.g.,
%t or %s),
2) match variables which are set by patterns (e.g., $1 or $+{varname}),
3) Perl variables that are set and used in Perl code snippets
On 04/05/2011 11:54 PM, MILLS, ROCKY (ATTSI) wrote:
For discussion only -- not an immediate need to be addressed.
~
Well, the 'input' field looks like a synonym to the file context to
me... Maybe I haven't got all the details for the 'input' field, though.
However, there is one danger
hi Uwe,
the problem you are seeing is caused by a side effect of Pair rule, but
can easily be fixed by changing the 'pattern2' field just a bit.
Let me explain why this happening. After you have submitted SEC the
first 4 input lines, SEC has two event correlation operations running
that have
Rafael,
you need to escape the %-sign with another %, so %hash should be
written as %%hash.
The problem is that action list variables also begin with %, and they
are substituted before the Perl code is evaluated. With pre 2.6
versions, variables without values were not substituted, but this
name.
hope this helps,
risto
-Risto Vaarandi risto.vaara...@gmail.com wrote: -
To: John Grasett john.gras...@atech.com
From: Risto Vaarandi risto.vaara...@gmail.com
Date: 04/15/2011 12:43PM
Cc: simple-evcorr-users@lists.sourceforge.net
Subject: Re: [Simple-evcorr-users
On 05/20/2011 02:56 PM, Matthieu Pérotin wrote:
Hi,
we recently experienced an annoying problem with processes that, in some
circonstances, would get stuck and never return. The fault here is
clearly on the processes side, but one can never be sure that a process
will return nicely... The
On 05/23/2011 04:51 PM, Matthieu Pérotin wrote:
Hi Risto,
the solutions you list are fine with us. The only objections I may have
are:
- the shell only solution induce an additional fork, which is not
necessary with a patch. It may be problematic in heavy loaded systems;
- we are loosing
1 - 100 of 574 matches
Mail list logo