Calhoun, Matthew wrote: > Thanks Risto, that gets me looking in the right direction. What if the > pattern I'm looking for is on the 4th line of 8 lines and I need to send all > 8 lines to the script (as below)? >
the solution is straightforward -- use the regexp8 pattern type and look for \n (newline character) both before and after the IF-MIB::linkDown string: \n.*\n.*\n.*IF-MIB::linkDown.*\n.*\n.*\n.*\n hth, risto > My.host.name > UDP: [1.1.1.1]:55785 > DISMAN-EVENT-MIB::sysUpTimeInstance 23:21:27:44.17 > SNMPv2-MIB::snmpTrapOID.0 IF-MIB::linkDown > IF-MIB::ifIndex.151 151 > IF-MIB::ifDescr.151 GigabitEthernet7/47 > IF-MIB::ifType.151 ethernetCsmacd > CISCO-SMI::local.2.1.1.20.151 "Lost Carrier" > > Thanks, > Matt > > -----Original Message----- > From: Risto Vaarandi [mailto:[EMAIL PROTECTED] > Sent: Monday, December 01, 2008 3:04 PM > To: [email protected]; Calhoun, Matthew > Subject: Re: [Simple-evcorr-users] PIPE Action Question > > >> From: Calhoun, Matthew <[EMAIL PROTECTED]> >> Subject: [Simple-evcorr-users] PIPE Action Question >> To: "[email protected]" >> <[email protected]> >> Date: Monday, December 1, 2008, 9:45 AM >> I'm new to SEC and have run into an issue. I've >> written a rule to look for all "linkDown" events. >> If the event is found, I want to send the entire event to my >> script so I can do some further parsing and conditional >> notifications. Everything is matching properly and my >> command is being executed. However, it appears that only the >> first line of the event (before the first line break) is >> actually being sent to my script as STDIN via the Pipe >> command. >> >> Here's my rule: >> >> type=single >> continue=takeNext >> ptype=regexp >> pattern=IF-MIB::linkDown >> desc=Blah >> action=pipe '$0' /usr/local/ioscripts/traphandle >> >> Mon Dec 1 10:44:09 2008: Feeding event '2008-12-01 >> 10:44:09 {HOSTNAME REDACTED} [UDP: [{IP >> REDACTED}]:55785]:' to shell command >> '/usr/local/ioscripts/traphandle' >> Mon Dec 1 10:44:09 2008: Child 22853 created for command >> '/usr/local/ioscripts/traphandle' >> Mon Dec 1 10:44:10 2008: Child 22853 terminated with >> non-zero exitcode 29 ( /usr/local/ioscripts/traphandle ) >> >> Is there something I am missing? Is there a way I can get >> the whole event over to my script? > > hi Matt, > did I understood correctly that you are actually trying to match a multiline > event and the string "IF-MIB::linkDown" just appears in the first line? If > that's the case, you can use the RegExpN pattern type for matching this > multiline event (where N is the number of lines you are trying to match). You > also have to specify that a certain number of newlines come after the string. > For example, the following ptype and pattern definitions match 3 lines, where > the first line contains the string of interest: > > ptype=RegExp3 > pattern=IF-MIB::linkDown.*\n.*\n > > When SEC does single line matching, it simply takes the last line from input > buffer with the terminating newline removed. When SEC does multiline matching > for N lines, it takes N last lines from the input buffer and forms a single > string from them, using the newline character as a separator (so 3 lines > line1, line2, line3 form the following string: > "line1<newline>line2<newline>line3"). Therefore, the above pattern matches 3 > lines where the first line contains "IF-MIB::linkDown". Note that in the case > of multiline matching, the $0 variable is set to the string > "line1<newline>...<newline>lineN" that was formed for the matching process -- > which is exactly what you need. > > hth, > risto > > >> Thanks, >> Matt >> >> ------------------------------------------------------------------------- >> This SF.Net email is sponsored by the Moblin Your Move >> Developer's challenge >> Build the coolest Linux based applications with Moblin SDK >> & win great prizes >> Grand prize is a trip for two to an Open Source event >> anywhere in the world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ >> Simple-evcorr-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
