Thanks, John! This worked like a charm. :) Regards, Ronald
-----Original Message----- From: John P. Rouillard [mailto:rou...@cs.umb.edu] Sent: Saturday, October 24, 2009 11:47 AM To: 'simple-evcorr-users@lists.sourceforge.net' Subject: Re: [Simple-evcorr-users] SEC not reading lines over 1024 in length In message <c0ff067618fca745ac37517023f8c9ac3e94a85...@wp40045.corp.ads>, Ronald San Juan writes: >Scenario:The logfile has lines reaching 1600 characters in length. > >rule: > >type=singlewiththreshold >ptype=regexp >pattern=(routing.jsp_servlet._dialogs) >desc=$0 >action=write - $0 >window=10 >thresh=10 > >result: > >When thresh is set to 10, the rule is loaded but I do not get any >result. The threshold is definitely being met as the pattern occurs at >least 10 times per second. When I set the thresh to 1, I get the >results. Basically, setting the thresh to any number greater than one >does not trigger the alarm. This looks like the usual problem using the desc parameter. You state 'the pattern occurs at least 10 times per second' but that is not what you are actually counting. What you are counting is the number of occurances of the entire line (i.e. $0). If you just want to count the pattern, the desc parameter must consist of the pattern you want to count. Compare type=singlewiththreshold ptype=regexp pattern=(routing.jsp_servlet._dialogs) desc=$1 action=write - $0 window=10 thresh=10 this with what you have. $0 is replaced with $1. The behind the scenes stuff that makes this work is described in the SEC man page, but it basically goes like this: read a line if the line matches the pattern of a correlating rule (e.g. pair, pairwithwindow, singlewiththrehold etc) calculate the desc parameter for the line if an existing correlation operating for the same rule with the same desc parameter exists count the current line as part of that correlation operation. if there is no existing correlation operation, start a new one. In your original case if $0 is different in any respect (timestamp, line number ...) the desc parameter will be different for every event and the lines/events will appear to be unrelated. The easy way to tell if this is happening is to send a kill -USR1 to the running sec process. It will dump its internal state to /tmp/sec.dump (make sure the file doesn't exist before sending the kill or it won't get updated). In the correlation section you will see multiple operations listed. >I'm thinking because of the limitation of sysread to 1024 characters, >SEC is unable to process multiple lines in a singlewiththreshold window. No, as mentioned in another email the 1024 setting can be changed on the command line. Also your singlewiththreshold rule is only matching a single line not multiple lines. >I tried the same rule to a similar file whose characters per line does >not exceed 1024 and it works fine. $0 is probably identical in that case. -- -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
