hi Hari, after reading your mail, my first impression is that it shouldn't (and actually, couldn't) be something that is built into SEC. SEC output actions are currently very generic ones and they are not restricted to doing something with lines that the pattern matched (i.e., the value of $0 only). Therefore, I would argue that the best place for any coloring scheme is the output script that is invoked from SEC. However, let me ask one question -- why are you having difficulties with identifying the rule that produced the alert? You are not limited to mailing the $0 value only, but you can also send any data you want from SEC as an alert. br, risto
Hari Sekhon wrote: > Hi, > > I have an extensive monitoring and alerting infrastructure which uses > Sec for part of the alerting but I am getting some alerts and having > trouble tracking down which of the thousands of sec event correlation > rules I have written are responsible for this particular alert. > > I am getting emails regarding this alert, so it would be nice if it were > possible to colorize the alert message in a similar way to how grep can > colorize the part of the string that the regex has matched. Bolding it > is also a possibility I am considering instead of using colour (perhaps > an even better idea). > > Is this something we should have a function for or can I simply write > some Perl to mangle the message itself before outputting it for email? > > I have also considered the security ramifications of the contents of the > string and I've already written defenses for anti-log-analysis type > attacks such that the string will never be handled in an unsafe manner > at any stage in it's journey, so I can output any arbitrary string > without worrying about it. I would have to make sure that any Perl I > write will itself not be susceptible to any mischief. > > Does anyone have a view on the best way of doing this or if this should > be a feature request of some sort? > > -h > ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensign option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
