Hello list,
I’m trying to get this rule working. The action works, but action2 does not.
What am I missing?
type=PairWithWindow
ptype=regexp
pattern=host.(\S+)\s+subtype=\S+\smessage=.*User-ID-Agent\s+(\S+)\s(\S+):
desc=(WARNING) $1 is $3 from $2
action=pipe 'sending' /etc/logzilla/scripts/sec
have a
“recovered” string for the second to match on.
I haven’t dug into this in years so I may be mistaken.
Regards,
Jon Frazier
From: Tom Damon via Simple-evcorr-users
Sent: Thursday, April 11, 2024 12:00 PM
To: simple-evcorr-users@lists.sourceforge.net
Subject: [External] [Simple-evcorr
at the first pattern would only match
the specific event which should start the event correlation operation, whereas
the second pattern would only match the event which should end the operation.
kind regards,
risto
Kontakt Tom Damon via Simple-evcorr-users
(mailto:simple-evcorr-users@lists.sourcef
