I'm new to SEC and have run into an issue. I've written a rule to look for all
"linkDown" events. If the event is found, I want to send the entire event to my
script so I can do some further parsing and conditional notifications.
Everything is matching properly and my command is being executed. However, it
appears that only the first line of the event (before the first line break) is
actually being sent to my script as STDIN via the Pipe command.
Here's my rule:
type=single
continue=takeNext
ptype=regexp
pattern=IF-MIB::linkDown
desc=Blah
action=pipe '$0' /usr/local/ioscripts/traphandle
Mon Dec 1 10:44:09 2008: Feeding event '2008-12-01 10:44:09 {HOSTNAME
REDACTED} [UDP: [{IP REDACTED}]:55785]:' to shell command
'/usr/local/ioscripts/traphandle'
Mon Dec 1 10:44:09 2008: Child 22853 created for command
'/usr/local/ioscripts/traphandle'
Mon Dec 1 10:44:10 2008: Child 22853 terminated with non-zero exitcode 29 (
/usr/local/ioscripts/traphandle )
Is there something I am missing? Is there a way I can get the whole event over
to my script?
Thanks,
Matt
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
