Hello Moufid:
In message <c8b29d582dbc8d458758e7d5c2b2a354011fd...@harpo.murex.com>,
"ZERIBI Moufid" writes:
>It's exactly what I need.
>Is it possible to make operation over the file set as an input?
>To explain more precisely my point :
>
>Actually I execute the following command :
>
>perl sec.pl -conf=SecRules.conf -input=\\\\remoteServer1\\file.log
>
>and my conf file is what you suggested me
>
>[...]
>desc=Oracle warning, error code: $1 on my remote server
>action=shellcmd sendMailParam.bat $1
>I have 6 log files that I plan to probe. The procedure above is good for
>only one file. To do what I want, I have to execute the perl command 6
>times with 6 different input because I don't know whether it is possible
>to pick out the input file that triggered the rule as a usable
>parameter/variable. The aim is to avoid to have 6 different bat file
>just for differentiating the source.
Hmm, one way to do it is to use:
perl sec.pl -conf=SecRules.conf \
-input=\\\\remoteServer1\\file.log=remoteserver1 \
-input=\\\\remoteServer2\\file.log=remoteserver2 \
... \
-input=\\\\remoteServer6\\file.log=remoteserver6
and duplicate your last rule once for each remoteserver using the
context parameter:
# captures all "ORA-" error except ORA-XXXXX and ORA-YYYYY and send to
# myself a mail containing the hardcoded server name (remoteServer1) in the #
.
bat file + the error number
type=Single
ptype=RegExp
pattern=(ORA-\d+)
context = remoteserver1
desc=Oracle warning, error code: $1 on my remote server
action=shellcmd sendMailParam.bat $1
# captures all "ORA-" error except ORA-XXXXX and ORA-YYYYY and send to
# myself a mail containing the hardcoded server name (remoteServer1) in the #
.
bat file + the error number
type=Single
ptype=RegExp
pattern=(ORA-\d+)
context = remoteserver2
desc=Oracle warning, error code: $1 on my remote server
action=shellcmd sendMailParam.bat $1
...
# captures all "ORA-" error except ORA-XXXXX and ORA-YYYYY and send to
# myself a mail containing the hardcoded server name (remoteServer1) in the #
.
bat file + the error number
type=Single
ptype=RegExp
pattern=(ORA-\d+)
contet = remoteserver6
desc=Oracle warning, error code: $1 on my remote server
action=shellcmd sendMailParam.bat $1
The input format:
-input=\\\\remoteServer6\\file.log=remoteserver6
sets the context after the = sign when the current event is read from
that file. In this case it sets the context "remoteserver6" and the
last of my example rules above will fire only when that context is
defined.
Another way I have done this in the past is to use tail -F on al the
input files fed into stdin of sec. Then I have a single rule that sets
a filename variable in response to the header that tail prints when it
is sending data from a new file. However since you are running on
windows, this is probably not an option. But it does work around the
need to have 6 copies of the rule.
Another possibility is to use the eval action as the first rule and
access the value of the perl variable $input_sources[]. IIRC this
array is an ordered list of the files that the input is from. The last
element in this array should be the filename of the current event. But
this is a tricky way of doing it because some events don't come from
files (they are generated from spawn or event actions), so some
special handling may be needed.
Now this does suggest a possible enhancement to SEC. It could define a
variable or two with the fullname and basename of the current input
file. So if --filenames is specified on the command line, the variables:
%b - basename (everything after the last / or \ in the input file name)
%f - fullname (the whole path as specified to -input)
could be defined. It would have to be an explicit option since some
people may be using %b and %f already in their rulesets. But this
would let you do things like:
action=shellcmd sendMailParam.bat $1 "%f"
that would expand to:
action=shellcmd sendMailParam.bat ORA-3456 "\\remoteServer1\file.log"
(assuming the \\ are reduced to \ by the cmd batch file).
Risto, what do you think about this enhancement?
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
