Hi, Alberto, thanks for the quick answer but still not working. When i run perl sec... i see the next output:
# perl sec.pl -conf=my2.conf -input=/var/log/snmptt/snmptthandler.debug SEC (Simple Event Correlator) 2.5.3 Reading configuration from my2.conf 1 rules loaded from my2.conf Stdin connected to terminal, SIGINT can't be used for changing the logging level Could it be the reason? thanks 2010/5/21 Alberto Losada <alos...@s21sec.com> > Hi, > > It seems that you missed the input file to check against the rule: > > perl sec.pl <http://sec.pl> -conf=my2.conf > -imput=/var/log/snmptt/snmptthandler.log > > br > > Bufalo escribió: > > Hi, > > > > i just want to integrate a SingleWithThreshold rule that works like this: > > > > i receive a trap to /var/log/snmptt/snmpttunknown.log. The first > > trap's line in the log contains this: > > > > Fri May 21 11:44:16 2010: Unknown trap (OID) received from > > 10.15.112.38 at: > > > > where OID is a variable large number. Then i call this rule: > > > > > > #Don't show alert until it repeats 5 times in 1 minute > > type=SingleWithThreshold > > ptype=RegExp > > pattern=Unknown trap (\S+) > > desc=Mensaje de $1 > > action=shellcmd /home/javier/msg.sh --> this script is: #!/bin/sh > > (next line) echo umbral superado >> traps.log > > window=60 > > thresh=5 > > > > > > in this way: > > > > perl sec.pl <http://sec.pl> -conf=my2.conf > > -syslog=/var/log/snmptt/snmptthandler.debug > > > > But it doesn´t writes nothing in traps.log. So, anyone knows what am i > > doing surely wrong? > > > > thanks > > ------------------------------------------------------------------------ > > > > > ------------------------------------------------------------------------------ > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > -- > Alberto Losada Grande > Dpto Integración Productos Propios > > Tlf: 93 544 27 23 > Móvil: 607 81 36 89 > > www.s21sec.com, blog.s21sec.com > La seguridad digital del futuro, Hoy. > > La información contenida en este mail, así como los archivos adjuntos, es > CONFIDENCIAL. Grupo S21sec Gestión, S.A. garantiza la adopción de las > medidas necesarias para asegurar el tratamiento confidencial de los datos de > carácter personal. En el caso de que el destinatario del correo no sea > usted, le rogamos envíe una notificación al remitente y lo destruya de forma > inmediata. La lectura y/o manipulación de esta información en la situación > señalada anteriormente será considerada ilegal, permitiendo a la empresa > remitente realizar acciones legales de diferente envergadura. > >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
