Hi, well, I changed several things including the threshold to 1 and something have changed. Now it works!!
mypandora:/home/javier/Simple Event Correlator/sec-2.5.3 # perl sec.pl-conf=my2.conf -input=/var/log/snmptt/snmptthandler.debug SEC (Simple Event Correlator) 2.5.3 Reading configuration from my2.conf 1 rules loaded from my2.conf Stdin connected to terminal, SIGINT can't be used for changing the logging level Executing shell command '/home/javier/msg.sh' Child 18068 created for command '/home/javier/msg.sh' This was really my first exercise to find out how Sec works. Now my next task is correlate and resend some traps. Thank you all !! 2010/5/21 Risto Vaarandi <risto.vaara...@seb.ee> > On 05/21/2010 03:46 PM, Bufalo wrote: > > Hi again, > > > > well, i tried all that but still not working... i´m still investigating > > but any idea would be appreciated. > > are you sure there are 5 traps in the log within the 1 minute window? > Try changing the threshold from 5 to 1 and see if this changes anything... > BR, > risto > > > > > > > thanks > > > > 2010/5/21 Alberto Losada <alos...@s21sec.com <mailto:alos...@s21sec.com > >> > > > > Hi, > > > > I think your input file is /var/log/snmptt/snmpttunknown.log. It > should > > be the file where the traps are logged. The outputs seems correct, I > > mean, there is no error loading the sec rule you wrote. > > > > If you're sure that /var/log/snmptt/snmpttunknown.log contains lines > > that match the pattern, you can force to re-read all the file from > the > > beginning: > > perl sec.pl <http://sec.pl> <http://sec.pl> -conf=my2.conf > > -input=/var/log/snmptt/snmpttunknown.log -fromstart > > > > If still does not work, it is a good idea that sec rule read > information > > from the stdin, in this way: > > perl sec.pl <http://sec.pl> <http://sec.pl> -conf=my2.conf -input=- > > Once it started, you can enter information through stdin. Try to > paste: > > Fri May 21 11:44:16 2010: Unknown trap (OID) received from > > > 10.15.112.38 at: > > > > Good luck > > br > > > > Bufalo escribió: > > > Hi, > > > > > > Alberto, thanks for the quick answer but still not working. When > > i run > > > perl sec... i see the next output: > > > > > > # perl sec.pl <http://sec.pl> <http://sec.pl> -conf=my2.conf > > > -input=/var/log/snmptt/snmptthandler.debug > > > SEC (Simple Event Correlator) 2.5.3 > > > Reading configuration from my2.conf > > > 1 rules loaded from my2.conf > > > Stdin connected to terminal, SIGINT can't be used for changing the > > > logging level > > > > > > Could it be the reason? > > > > > > thanks > > > > > > 2010/5/21 Alberto Losada <alos...@s21sec.com > > <mailto:alos...@s21sec.com> <mailto:alos...@s21sec.com > > <mailto:alos...@s21sec.com>>> > > > > > > Hi, > > > > > > It seems that you missed the input file to check against the > > rule: > > > > > > perl sec.pl <http://sec.pl> <http://sec.pl> <http://sec.pl> > > -conf=my2.conf > > > -imput=/var/log/snmptt/snmptthandler.log > > > > > > br > > > > > > Bufalo escribió: > > > > Hi, > > > > > > > > i just want to integrate a SingleWithThreshold rule that works > > > like this: > > > > > > > > i receive a trap to /var/log/snmptt/snmpttunknown.log. The first > > > > trap's line in the log contains this: > > > > > > > > Fri May 21 11:44:16 2010: Unknown trap (OID) received from > > > > 10.15.112.38 at: > > > > > > > > where OID is a variable large number. Then i call this rule: > > > > > > > > > > > > #Don't show alert until it repeats 5 times in 1 minute > > > > type=SingleWithThreshold > > > > ptype=RegExp > > > > pattern=Unknown trap (\S+) > > > > desc=Mensaje de $1 > > > > action=shellcmd /home/javier/msg.sh --> this script is: > #!/bin/sh > > > > (next line) echo umbral superado >> traps.log > > > > window=60 > > > > thresh=5 > > > > > > > > > > > > in this way: > > > > > > > > perl sec.pl <http://sec.pl> <http://sec.pl> <http://sec.pl> > > -conf=my2.conf > > > > -syslog=/var/log/snmptt/snmptthandler.debug > > > > > > > > But it doesn´t writes nothing in traps.log. So, anyone knows > > > what am i > > > > doing surely wrong? > > > > > > > > thanks > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > _______________________________________________ > > > > Simple-evcorr-users mailing list > > > > Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > > <mailto:Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > > > > > -- > > > Alberto Losada Grande > > > Dpto Integración Productos Propios > > > > > > Tlf: 93 544 27 23 > > > Móvil: 607 81 36 89 > > > > > > www.s21sec.com <http://www.s21sec.com> <http://www.s21sec.com>, > > blog.s21sec.com <http://blog.s21sec.com> > > > <http://blog.s21sec.com> > > > La seguridad digital del futuro, Hoy. > > > > > > La información contenida en este mail, así como los archivos > > > adjuntos, es CONFIDENCIAL. Grupo S21sec Gestión, S.A. > > garantiza la > > > adopción de las medidas necesarias para asegurar el > tratamiento > > > confidencial de los datos de carácter personal. En el caso de > que > > > el destinatario del correo no sea usted, le rogamos envíe una > > > notificación al remitente y lo destruya de forma inmediata. La > > > lectura y/o manipulación de esta información en la situación > > > señalada anteriormente será considerada ilegal, permitiendo a > la > > > empresa remitente realizar acciones legales de diferente > > envergadura. > > > > > > > > > > > > -- > > Alberto Losada Grande > > Dpto Integración Productos Propios > > > > Tlf: 93 544 27 23 > > Móvil: 607 81 36 89 > > > > www.s21sec.com <http://www.s21sec.com>, blog.s21sec.com > > <http://blog.s21sec.com> > > La seguridad digital del futuro, Hoy. > > > > La información contenida en este mail, así como los archivos > > adjuntos, es CONFIDENCIAL. Grupo S21sec Gestión, S.A. garantiza la > > adopción de las medidas necesarias para asegurar el tratamiento > > confidencial de los datos de carácter personal. En el caso de que el > > destinatario del correo no sea usted, le rogamos envíe una > > notificación al remitente y lo destruya de forma inmediata. La > > lectura y/o manipulación de esta información en la situación > > señalada anteriormente será considerada ilegal, permitiendo a la > > empresa remitente realizar acciones legales de diferente envergadura. > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users