Ralf Schmitt wrote:
> Tim,
>
> thank you ... 'keys %main::context_list' is exactly what I need and your
> example helped me to understand the usage.
>
> Regards,
>
> Ralf Schmitt
>
hi Ralph,
I'd propose another solution to your problem. If all you want to do is
to count unique IP addresses, I'd use a perl hash for that which is set
by 'eval' action (note that printing out context content requires Perl
code anyway).
type=Single
ptype=RegExp
pattern=sshd\[\d+\]: Invalid user \S+ from ([\d.]+)
desc=bad ssh from $1
action=eval %o ( ++$badipcount{"$1"}; )
type=Calendar
time=0 6 * * *
desc=SSH Report
action=eval %o ( while ($ip = each %badipcount) { print "$ip
$badipcount{$ip}\n"; } )
This simple solution keeps IP address counters in the %badipcount hash,
with the IP addresses acting as keys for the hash. I think it's somewhat
simpler, because you don't need to memorize actual log file lines but
rather their occurrence count only.
WBR,
risto
>
>>> so what I need is something like "SRC_*" ... But
>>> I have no idea, how to do this :(
>>>
>> I believe Jim Brown did something similar this a while back to list
>> contexts during a shutdown event. My memory is hazy, so I can't quote
>> the source. The context names are listed as keys of
>> %main::context_list. In the example below, I have a rule that creates a
>> context, adds events to that context, and then on the command 'writeme'
>> dumps all of the context names and the event store.
>>
>>
>> [EMAIL PROTECTED]:~$ sec.pl -conf=sec.cfg -input=- -debug=7
>> SEC (Simple Event Correlator) 2.4.2
>> Reading configuration from sec.cfg
>> 4 rules loaded from sec.cfg
>> foo1
>> Creating context 'cache'
>> Adding event 'foo1' to context 'cache'
>> foo2
>> Adding event 'foo2' to context 'cache'
>> writem
>> writeme
>> Evaluating code 'foreach $context (keys %main::context_list) {
>> foreach $event (@{$val = $main::context_list{$context}->{"Buffer"}})
>> { print "context name $context event $event\n"; }
>> } return ""; ' and setting variable '%o'
>> context name cache event foo1
>> context name cache event foo2
>> Variable '%o' set to ''
>>
>> Deleting stale context 'cache'
>> Reporting the event store of context 'cache' through shell command
>> '/bin/cat '
>> Child 7480 created for command '/bin/cat '
>> Stale context 'cache' deleted
>> foo1
>> foo2
>>
>> sec.cfg:
>> #
>> # for a pattern foo\S+ create a context known as 'cache' if one doesn't
>> exist
>> # The cache lifetime is 30 seconds, so the create action 'report' dumps what
>> # is in the cache after its lifetime expires.
>> #
>> type=Single
>> ptype=Regexp
>> continue=TakeNext
>> pattern=foo(\S+)
>> desc=report
>> context=!cache
>> action=create cache 30 (report cache /bin/cat )
>> #
>> # for the same pattern foo\S+ if a context exists, add to it.
>> #
>> type=single
>> ptype=Regexp
>> continue=TakeNext
>> pattern=foo(\S+)
>> context=cache
>> desc=pattern from $1
>> action=add cache $0
>>
>> #
>> # Read the hash of SEC contexts (%main::context_list), and print out
>> # the content of all SEC contexts;
>> #
>> type=Single
>> ptype=substr
>> pattern=writeme
>> desc=Write all contexts to stdout
>> action= eval %o ( \
>> foreach $context (keys %main::context_list) { \
>> foreach $event (@{$val =
>> $main::context_list{$context}->{"Buffer"}}) { \
>> print "context name $context event $event\n"; \
>> } \
>> } \
>> return ""; \
>> ); \
>> logonly %o;
>>
>>
>> Regards,
>> Tim Peiffer
>> Network Support Engineer
>> Office of Information Technology
>> University of Minnesota/NorthernLights GigaPOP
>
>
>
> ------------------------------------------------------------------------------
> SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
> The future of the web can't happen without you. Join us at MIX09 to help
> pave the way to the Next Web now. Learn more and register at
> http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
