On 05/21/2010 03:46 PM, Bufalo wrote: > Hi again, > > well, i tried all that but still not working... i´m still investigating > but any idea would be appreciated.
are you sure there are 5 traps in the log within the 1 minute window? Try changing the threshold from 5 to 1 and see if this changes anything... BR, risto > > > thanks > > 2010/5/21 Alberto Losada <alos...@s21sec.com <mailto:alos...@s21sec.com>> > > Hi, > > I think your input file is /var/log/snmptt/snmpttunknown.log. It should > be the file where the traps are logged. The outputs seems correct, I > mean, there is no error loading the sec rule you wrote. > > If you're sure that /var/log/snmptt/snmpttunknown.log contains lines > that match the pattern, you can force to re-read all the file from the > beginning: > perl sec.pl <http://sec.pl> <http://sec.pl> -conf=my2.conf > -input=/var/log/snmptt/snmpttunknown.log -fromstart > > If still does not work, it is a good idea that sec rule read information > from the stdin, in this way: > perl sec.pl <http://sec.pl> <http://sec.pl> -conf=my2.conf -input=- > Once it started, you can enter information through stdin. Try to paste: > Fri May 21 11:44:16 2010: Unknown trap (OID) received from > > 10.15.112.38 at: > > Good luck > br > > Bufalo escribió: > > Hi, > > > > Alberto, thanks for the quick answer but still not working. When > i run > > perl sec... i see the next output: > > > > # perl sec.pl <http://sec.pl> <http://sec.pl> -conf=my2.conf > > -input=/var/log/snmptt/snmptthandler.debug > > SEC (Simple Event Correlator) 2.5.3 > > Reading configuration from my2.conf > > 1 rules loaded from my2.conf > > Stdin connected to terminal, SIGINT can't be used for changing the > > logging level > > > > Could it be the reason? > > > > thanks > > > > 2010/5/21 Alberto Losada <alos...@s21sec.com > <mailto:alos...@s21sec.com> <mailto:alos...@s21sec.com > <mailto:alos...@s21sec.com>>> > > > > Hi, > > > > It seems that you missed the input file to check against the > rule: > > > > perl sec.pl <http://sec.pl> <http://sec.pl> <http://sec.pl> > -conf=my2.conf > > -imput=/var/log/snmptt/snmptthandler.log > > > > br > > > > Bufalo escribió: > > > Hi, > > > > > > i just want to integrate a SingleWithThreshold rule that works > > like this: > > > > > > i receive a trap to /var/log/snmptt/snmpttunknown.log. The first > > > trap's line in the log contains this: > > > > > > Fri May 21 11:44:16 2010: Unknown trap (OID) received from > > > 10.15.112.38 at: > > > > > > where OID is a variable large number. Then i call this rule: > > > > > > > > > #Don't show alert until it repeats 5 times in 1 minute > > > type=SingleWithThreshold > > > ptype=RegExp > > > pattern=Unknown trap (\S+) > > > desc=Mensaje de $1 > > > action=shellcmd /home/javier/msg.sh --> this script is: #!/bin/sh > > > (next line) echo umbral superado >> traps.log > > > window=60 > > > thresh=5 > > > > > > > > > in this way: > > > > > > perl sec.pl <http://sec.pl> <http://sec.pl> <http://sec.pl> > -conf=my2.conf > > > -syslog=/var/log/snmptt/snmptthandler.debug > > > > > > But it doesn´t writes nothing in traps.log. So, anyone knows > > what am i > > > doing surely wrong? > > > > > > thanks > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Simple-evcorr-users mailing list > > > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > -- > > Alberto Losada Grande > > Dpto Integración Productos Propios > > > > Tlf: 93 544 27 23 > > Móvil: 607 81 36 89 > > > > www.s21sec.com <http://www.s21sec.com> <http://www.s21sec.com>, > blog.s21sec.com <http://blog.s21sec.com> > > <http://blog.s21sec.com> > > La seguridad digital del futuro, Hoy. > > > > La información contenida en este mail, así como los archivos > > adjuntos, es CONFIDENCIAL. Grupo S21sec Gestión, S.A. > garantiza la > > adopción de las medidas necesarias para asegurar el tratamiento > > confidencial de los datos de carácter personal. En el caso de que > > el destinatario del correo no sea usted, le rogamos envíe una > > notificación al remitente y lo destruya de forma inmediata. La > > lectura y/o manipulación de esta información en la situación > > señalada anteriormente será considerada ilegal, permitiendo a la > > empresa remitente realizar acciones legales de diferente > envergadura. > > > > > > > -- > Alberto Losada Grande > Dpto Integración Productos Propios > > Tlf: 93 544 27 23 > Móvil: 607 81 36 89 > > www.s21sec.com <http://www.s21sec.com>, blog.s21sec.com > <http://blog.s21sec.com> > La seguridad digital del futuro, Hoy. > > La información contenida en este mail, así como los archivos > adjuntos, es CONFIDENCIAL. Grupo S21sec Gestión, S.A. garantiza la > adopción de las medidas necesarias para asegurar el tratamiento > confidencial de los datos de carácter personal. En el caso de que el > destinatario del correo no sea usted, le rogamos envíe una > notificación al remitente y lo destruya de forma inmediata. La > lectura y/o manipulación de esta información en la situación > señalada anteriormente será considerada ilegal, permitiendo a la > empresa remitente realizar acciones legales de diferente envergadura. > > > > > ------------------------------------------------------------------------------ > > > > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
