Hi list, I was wondering if you can re-use a pattern with multiple pattern2's in a pair.
For example if I had 2 pairs # pair 1 type=pair ptype=regexp1 pattern=audit\(\d+).*success\=yes\s desc="Successful command execution" action=none ptype2=regexp1 pattern2=audit\(\d+\.\d+\:($1)\)\:.*filterkey\=my-first-key desc2=$0 action2=shellcmd /do/something and # pair 2 type=pair ptype=regexp1 pattern=audit\(\d+).*success\=yes\s desc="Successful command execution" action=none ptype2=regexp1 pattern2=audit\(\d+\.\d+\:($1)\)\:.*filterkey\=my-second-key desc2=$0 action2=shellcmd /do/something/else If they both have the same initial pattern, is it possible for the second pair to ever be met? I guess I'm having that problem. The first pattern occurs often in my log files, and I really just want to make a decision based on the second pattern (if the first pattern is also met). I'm not seeing SEC match the second pair's pattern2 though. I think it may be because it's waiting for the first pair's pattern2??? Can someone clarify this? I think a workaround is to specify a bunch of OR cases in my second pattern, but that's less than ideal because there may be many OR cases in the future. Thanks in advance, Tim ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
