hi John, I had a look at the sec command line and noticed that the -intcontexts flag is missing. By default, the internal context creation feature is disabled. Did you see the same behavior with -intcontexts specified in command line? regards, risto
--- On Sun, 7/26/09, John P. Rouillard <rou...@cs.umb.edu> wrote: > From: John P. Rouillard <rou...@cs.umb.edu> > Subject: [Simple-evcorr-users] _INTERNAL_EVENT not being set when processing > 'event' action event > To: simple-evcorr-users@lists.sourceforge.net > Date: Sunday, July 26, 2009, 11:06 PM > > Hi all: > > I have been running through my examples for a class I am > teaching in > November and came across the following bug. In the sec > 2.5.2 man page, > it says that the context _INTERNAL_EVENT: > > If the line was created with the event action, the > name of the > internal context is _INTERNAL_EVENT. > > However that seems to not be working. Using the ruleset: > > type = singlewithscript > desc = test internal event > ptype = regexp > context = eventgen > pattern = generate > script = /bin/cat > action = delete eventgen > > type = single > desc = generate internal event > ptype = regexp > pattern = generate > context = ! eventgen > action = create eventgen; event $0 > > and running with: > > sec -conf event_context_test.sr -input=- > > I start it up and type in "generate event"(my input is > outdented) and see: > > SEC (Simple Event Correlator) 2.5.2 > Reading configuration from > event_context_test.sr > 2 rules loaded from event_context_test.sr > generate event > Creating context 'eventgen' > Creating event 'generate event' > Child 29552 created for command '/bin/cat' > eventgen (*) > Child 29552 terminated with exitcode 0 > Deleting context 'eventgen' > Context 'eventgen' deleted > > the "eventgen" context is shown (*), but no > _INTERNAL_EVENT > context. If I change the context value on the first rule > from: > > context = eventgen > > to > > context = eventgen && _INTERNAL_EVENT > > I see: > > generate event > Creating context 'eventgen' > Creating event 'generate event' > generate event > > so the SingleWithScript rule doesn't fire. This is using > cygwin 1.7 > and 2.5.2 of SEC, but I claim it's going to be a problem on > any > system. > > -- > > -- rouilj > John Rouillard > =========================================================================== > My employers don't acknowledge my existence much less my > opinions. > > ------------------------------------------------------------------------------ > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
