> Thank you Risto and John,
> 
> It's exactly what I need.
> Is it possible to make operation over the file set as an
> input?
> To explain more precisely my point : 
> 
> Actually I execute the following command : 
> 
> perl sec.pl -conf=SecRules.conf
> -input=\\\\remoteServer1\\file.log
> 
> and my conf file is what you suggested me
> 
> # filter out ORA-XXXXX and ORA-YYYYY
> type=Suppress
> ptype=RegExp
> pattern=ORA-(?:XXXXX|YYYYY)
> 
> # captures all "ORA-" error except ORA-XXXXX and ORA-YYYYY
> and send to 
> # myself a mail containing the hardcoded server name
> (remoteServer1) in the # .bat file + the error number
> type=Single
> ptype=RegExp
> pattern=(ORA-\d+)
> desc=Oracle warning, error code: $1 on my remote server
> action=shellcmd sendMailParam.bat $1
> 
> I have 6 log files that I plan to probe. The procedure
> above is good for only one file. To do what I want, I have
> to execute the perl command 6 times with 6 different input
> because I don't know whether it is possible to pick out the
> input file that triggered the rule as a usable
> parameter/variable. 

In fact, although RegExp patterns don't allow for setting a variable that 
contains the input file name, there is another pattern type call PerlFunc which 
supports that. Have a look at the PerlFunc description on the following man 
page section: 
http://simple-evcorr.sourceforge.net/sec.pl.html#lbAG
There is an example there how to get the input file name and assign it to a 
$<number> variable.
regards,
risto

> The aim is to avoid to have 6 different
> bat file just for differentiating the source.
> 
> Regards
> 
> -----Message d'origine-----
> De : John P. Rouillard [mailto:rou...@cs.umb.edu]
> 
> Envoyé : lundi 21 juin 2010 15:22
> À : ZERIBI Moufid
> Cc : simple-evcorr-users@lists.sourceforge.net
> Objet : Re: [Simple-evcorr-users] check pattern not in a
> keyword list 
> 
> 
> In message <c8b29d582dbc8d458758e7d5c2b2a354011fd...@harpo.murex.com>,
> "ZERIBI Moufid" writes:
> > I have a database log file that I'd like
> >to analyse and send e-mail each time a keyword (ORA-)
> is found. The
> >problem is I want to exclude some specific ORA-XXXX
> errors. How can I
> >say in my pattern that I want to find all "ORA-"
> entries except those
> >which are ORA-XXXX, ORA-YYYY.
> >
> >This is actually what I have. It doesn't distinguish
> the uninteresting
> >ORA-XXXX, ORA-YYYY from the others
> >
> >>type=Single
> >ptype=SubStr
> >pattern=ORA-
> >desc=Oracle alert.log warning
> >action=shellcmd sendMail.bat
> 
> In the file before this rule put some suppress rules that
> match the
> exact error you want to ignore. For example:
> 
>   type=Suppress
>   ptype=SubStr
>   pattern=ORA-XXXX
>   desc=Ignore oracle xxxx errors
> 
>   type=Suppress
>   ptype=SubStr
>   pattern=ORA-YYYY
>   desc=Ignore oracle yyyy errors
> 
> Once a rule matches in a file, the event is not passed to
> the
> following rules unless you set the continue parameter fo
> the rule to
> takenext. So putting these suppress rules earlier in the
> file will
> consume the event and stop it from triggering your single
> rule.
> 
> --
>            
>     -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my
> opinions. 
>  
> *******************************
> This e-mail contains information for the intended recipient
> only. It may contain proprietary material or confidential
> information. If you are not the intended recipient you are
> not authorised to distribute, copy or use this e-mail or any
> attachment to it. Murex cannot guarantee that it is virus
> free and accepts no responsibility for any loss or damage
> arising from its use. If you have received this e-mail in
> error please notify immediately the sender and delete the
> original email received, any attachments and all copies from
> your system.
> 
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate 
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
> lucky parental unit.  See the prize list and enter to
> win: 
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> 


      

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to