In message <79cfa2e7-a525-42fa-ba1c-9e895580d...@gmail.com>, Sven Leupold writes: >Excellent article!
Glad you found it useful. >The mentioned chapters handle positive rules, based on events. I guess they >won't work without an event? In my setup I'd like to figure out whether or >not zero or more events were seen in a sliding time window. E.g. "Did system ><A> sent at least 5 messages during the last 3600s ?" I think Risto gave you another possible solution to that problem as well. IIRC his solution used a calendar rule to create a synthetic event. That works well if you have a given time period (say for every hour period starting at midnight and continuing to midnight). One of the rules I usually set up for monitoring is to capture heartbeat commands for every system created every 10 minutes using the logger command. The ruleset in SEC captures every heartbeat and if it is an unknown host (i.e. a new one we added to log monitoring), it captures the seeding event and stores it to be replayed when SEC restarts. Again I am creating a seed event to trigger the monitoring operation. http://www.cs.umb.edu/~rouilj/sec/rulesets/10timestamp.sr was an implementation of the hearbet capture rules. Another way to do it is to reverse the test and analysis. (Again this may be what risto proposed, I don;t quite remember). Structure your rules this way: type = SingleWithThreshold ptype = regexp pattern = message window = 3600 thresh = 4 action = create saw_5_events 3601 type = calendar time = 0 * * * * context = ! saw_5_events action = write - 5 events have not arrived in past hour IIRC once the SingleWithThreshold rule is triggered all the events it is counting are cleared, but I am not sure about that. I think it works like this: time event action (min) 0 message 10 message 20 message 30 message 40 message create saw_5_events 50 message (ignored) 60 message (ignored, window expires) 70 message 80 message 90 message 100 message 110 message create saw_5_events but it's possible this could be valid: time event action (min) 0 message 10 message 20 message 30 message 40 message create saw_5_events 50 message (ignored) 60 message (ignored, window expires) 70 message create saw_5_events (time=10,20,30,40,70) 80 message create saw_5_events (time=20,30,40,70,80) 90 message create saw_5_events (time=30,40,70,80,90) 100 message create saw_5_events (time=40,70,80,90,100) 110 message create saw_5_events (time=70,80,90,100,110) I'd have to test as the manual doesn't say what happens to the sliding window if the rule is triggered. But in the first case, the calendar rule should work fine as the 3601 second lifetime permits the saw_5_events to be seen by the calendar rule even if it was created just at the beginning of the hour period. Hopefully that gives you some more ideas about how to approach the monitoring problem. -- -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
