I implemented what suggested John and it works pretty well. Merci! Regarding Risto's solution, I guess I have to combine 2 kinds of rules one with a perlfunc (to get the input source) and another with a regexp (to catch ORA-XXXXX errors) ptype. Since I set a working probe (even though I have x rules for x envs) I prefer to not focus on optimisation because of lack of time to search & implement by myself. This would have sense for me if the number of envs to check will considerably increase and the conf file will be excessively huge.
I thank you all for your precious and effective help Best regards. -----Message d'origine----- De : Risto Vaarandi [mailto:rvaara...@yahoo.com] Envoyé : vendredi 25 juin 2010 09:43 À : rou...@ieee.org; ZERIBI Moufid Cc : simple-evcorr-users@lists.sourceforge.net Objet : Re: [Simple-evcorr-users] check pattern not in a keyword list > Thank you Risto and John, > > It's exactly what I need. > Is it possible to make operation over the file set as an > input? > To explain more precisely my point : > > Actually I execute the following command : > > perl sec.pl -conf=SecRules.conf > -input=\\\\remoteServer1\\file.log > > and my conf file is what you suggested me > > # filter out ORA-XXXXX and ORA-YYYYY > type=Suppress > ptype=RegExp > pattern=ORA-(?:XXXXX|YYYYY) > > # captures all "ORA-" error except ORA-XXXXX and ORA-YYYYY > and send to > # myself a mail containing the hardcoded server name > (remoteServer1) in the # .bat file + the error number > type=Single > ptype=RegExp > pattern=(ORA-\d+) > desc=Oracle warning, error code: $1 on my remote server > action=shellcmd sendMailParam.bat $1 > > I have 6 log files that I plan to probe. The procedure > above is good for only one file. To do what I want, I have > to execute the perl command 6 times with 6 different input > because I don't know whether it is possible to pick out the > input file that triggered the rule as a usable > parameter/variable. In fact, although RegExp patterns don't allow for setting a variable that contains the input file name, there is another pattern type call PerlFunc which supports that. Have a look at the PerlFunc description on the following man page section: http://simple-evcorr.sourceforge.net/sec.pl.html#lbAG There is an example there how to get the input file name and assign it to a $<number> variable. regards, risto > The aim is to avoid to have 6 different > bat file just for differentiating the source. > > Regards > > -----Message d'origine----- > De : John P. Rouillard [mailto:rou...@cs.umb.edu] > > Envoyé : lundi 21 juin 2010 15:22 > À : ZERIBI Moufid > Cc : simple-evcorr-users@lists.sourceforge.net > Objet : Re: [Simple-evcorr-users] check pattern not in a > keyword list > > > In message <c8b29d582dbc8d458758e7d5c2b2a354011fd...@harpo.murex.com>, > "ZERIBI Moufid" writes: > > I have a database log file that I'd like > >to analyse and send e-mail each time a keyword (ORA-) > is found. The > >problem is I want to exclude some specific ORA-XXXX > errors. How can I > >say in my pattern that I want to find all "ORA-" > entries except those > >which are ORA-XXXX, ORA-YYYY. > > > >This is actually what I have. It doesn't distinguish > the uninteresting > >ORA-XXXX, ORA-YYYY from the others > > > >>type=Single > >ptype=SubStr > >pattern=ORA- > >desc=Oracle alert.log warning > >action=shellcmd sendMail.bat > > In the file before this rule put some suppress rules that > match the > exact error you want to ignore. For example: > > type=Suppress > ptype=SubStr > pattern=ORA-XXXX > desc=Ignore oracle xxxx errors > > type=Suppress > ptype=SubStr > pattern=ORA-YYYY > desc=Ignore oracle yyyy errors > > Once a rule matches in a file, the event is not passed to > the > following rules unless you set the continue parameter fo > the rule to > takenext. So putting these suppress rules earlier in the > file will > consume the event and stop it from triggering your single > rule. > > -- > > -- rouilj > John Rouillard > =========================================================================== > My employers don't acknowledge my existence much less my > opinions. > > ******************************* > This e-mail contains information for the intended recipient > only. It may contain proprietary material or confidential > information. If you are not the intended recipient you are > not authorised to distribute, copy or use this e-mail or any > attachment to it. Murex cannot guarantee that it is virus > free and accepts no responsibility for any loss or damage > arising from its use. If you have received this e-mail in > error please notify immediately the sender and delete the > original email received, any attachments and all copies from > your system. > > ------------------------------------------------------------------------------ > ThinkGeek and WIRED's GeekDad team up for the Ultimate > GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the > lucky parental unit. See the prize list and enter to > win: > http://p.sf.net/sfu/thinkgeek-promo > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ******************************* This e-mail contains information for the intended recipient only. It may contain proprietary material or confidential information. If you are not the intended recipient you are not authorised to distribute, copy or use this e-mail or any attachment to it. Murex cannot guarantee that it is virus free and accepts no responsibility for any loss or damage arising from its use. If you have received this e-mail in error please notify immediately the sender and delete the original email received, any attachments and all copies from your system. ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
