Javier, if each trap has several parameters that can have different values, and you want to correlate events with the *same* set of values, this can be easily accomplished by setting the 'desc' parameter accordingly.
Suppose that the trap with OID .1.2.3 can have two parameters: <generic OID> .1.2.3 A C <generic OID> .1.2.3 A D <generic OID> .1.2.3 B D With this example, it is obvious that the following rule will react only to the first trap: type=SingleWithSuppress ptype=RegExp pattern=<generic OID> (\S+) desc=estado $1 action=shellcmd /home/javier/send.sh window=300 However, if you rewrite the rule as follows, each trap .1.2.3 with a *different* set of parameter values will be correlated by a different event correlation operation (in other words, if a trap with a new set of parameter values comes in, it is written to the log and then suppressed for 5 minutes): type=SingleWithSuppress ptype=RegExp pattern=<generic OID> (\S+) (\S+) (\S+) desc=estado $1 $2 $3 action=shellcmd /home/javier/send.sh window=300 The key to the solution is to define the 'desc' parameter correctly, since 'desc' defines the scope of event correlation operations. Similar question has been asked many times in this list before, and since this is one of the fundamentals of SEC, please have a look at the relevant section of the man page: http://simple-evcorr.sourceforge.net/sec.pl.html#lbAV This section explains the relation between rules and event correlation operations, and how the 'desc' parameter influences this. BR, risto On 06/01/2010 10:32 AM, Javier wrote: > Hi, > > well, that trap comes from a device with several parameters. I receive 3 > different traps, some common parameters to all traps and others only for > each trap. A change in the trap is when I receive a different data in > any parameter from the last same trap. > > I´ve been searching documentation and maybe i could use Context to save > the data from each parameter and then show it later if it changes, but i > don´t know exactly how i can do that. Is it possible?. Any suggestion? > > thanks in advance > > > 2010/5/31 Risto Vaarandi <rvaara...@yahoo.com <mailto:rvaara...@yahoo.com>> > > How do you define a change in the trap? > br, > risto > > > --- On Mon, 5/31/10, Javier <esj...@gmail.com > <mailto:esj...@gmail.com>> wrote: > > From: Javier <esj...@gmail.com <mailto:esj...@gmail.com>> > Subject: [Simple-evcorr-users] Can SEC help me ?? > To: "simple-evcorr-users" <simple-evcorr-users@lists.sourceforge.net > <mailto:simple-evcorr-users@lists.sourceforge.net>> > Date: Monday, May 31, 2010, 8:15 PM > > Hi, > > i need to make a persistance correlation and i´m not sure if SEC can > help me. It should goes like this: > > I receive traps with a determinate OID in a log file as raw data, > then i write the output to a DB to show it later as an alarm. > > > I want to show the first coincidence and i want to correlate the > event to show only when its a change in the trap during a time > threshold and if there´s a change in that same event, reset that > time threshold and of course show the changes. I prefer do it in > memory and not in DB... > > > Well, is it possible to do that with SEC? and if yes... HOW??? maybe > using several rules in the same conf file?? > > > thanks in advance > > > > > -----Inline Attachment Follows----- > > > ------------------------------------------------------------------------------ > > > -----Inline Attachment Follows----- > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > ------------------------------------------------------------------------------ > > > > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
