Thanks Risto, that gets me looking in the right direction. What if the pattern I'm looking for is on the 4th line of 8 lines and I need to send all 8 lines to the script (as below)?
My.host.name UDP: [1.1.1.1]:55785 DISMAN-EVENT-MIB::sysUpTimeInstance 23:21:27:44.17 SNMPv2-MIB::snmpTrapOID.0 IF-MIB::linkDown IF-MIB::ifIndex.151 151 IF-MIB::ifDescr.151 GigabitEthernet7/47 IF-MIB::ifType.151 ethernetCsmacd CISCO-SMI::local.2.1.1.20.151 "Lost Carrier" Thanks, Matt -----Original Message----- From: Risto Vaarandi [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 3:04 PM To: [email protected]; Calhoun, Matthew Subject: Re: [Simple-evcorr-users] PIPE Action Question > From: Calhoun, Matthew <[EMAIL PROTECTED]> > Subject: [Simple-evcorr-users] PIPE Action Question > To: "[email protected]" > <[email protected]> > Date: Monday, December 1, 2008, 9:45 AM > I'm new to SEC and have run into an issue. I've > written a rule to look for all "linkDown" events. > If the event is found, I want to send the entire event to my > script so I can do some further parsing and conditional > notifications. Everything is matching properly and my > command is being executed. However, it appears that only the > first line of the event (before the first line break) is > actually being sent to my script as STDIN via the Pipe > command. > > Here's my rule: > > type=single > continue=takeNext > ptype=regexp > pattern=IF-MIB::linkDown > desc=Blah > action=pipe '$0' /usr/local/ioscripts/traphandle > > Mon Dec 1 10:44:09 2008: Feeding event '2008-12-01 > 10:44:09 {HOSTNAME REDACTED} [UDP: [{IP > REDACTED}]:55785]:' to shell command > '/usr/local/ioscripts/traphandle' > Mon Dec 1 10:44:09 2008: Child 22853 created for command > '/usr/local/ioscripts/traphandle' > Mon Dec 1 10:44:10 2008: Child 22853 terminated with > non-zero exitcode 29 ( /usr/local/ioscripts/traphandle ) > > Is there something I am missing? Is there a way I can get > the whole event over to my script? hi Matt, did I understood correctly that you are actually trying to match a multiline event and the string "IF-MIB::linkDown" just appears in the first line? If that's the case, you can use the RegExpN pattern type for matching this multiline event (where N is the number of lines you are trying to match). You also have to specify that a certain number of newlines come after the string. For example, the following ptype and pattern definitions match 3 lines, where the first line contains the string of interest: ptype=RegExp3 pattern=IF-MIB::linkDown.*\n.*\n When SEC does single line matching, it simply takes the last line from input buffer with the terminating newline removed. When SEC does multiline matching for N lines, it takes N last lines from the input buffer and forms a single string from them, using the newline character as a separator (so 3 lines line1, line2, line3 form the following string: "line1<newline>line2<newline>line3"). Therefore, the above pattern matches 3 lines where the first line contains "IF-MIB::linkDown". Note that in the case of multiline matching, the $0 variable is set to the string "line1<newline>...<newline>lineN" that was formed for the matching process -- which is exactly what you need. hth, risto > > Thanks, > Matt > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move > Developer's challenge > Build the coolest Linux based applications with Moblin SDK > & win great prizes > Grand prize is a trip for two to an Open Source event > anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
