So you would like to react on the *second* DHCPDISCOVER event, where the network is the same as for the previous event, but MAC is different?
If that's the case, here are the rulesets for sample A and B events. The first solutions employs one Pair rule. Since regular expressions are identical in both parts of the rule, the first regular expression will grab all events and nothing gets passed to the second expression. In order to prevent this from happening, we have to use a context called TRACKING_$2 which will be created when the first event appears. For example, if event "blah A blah B" appears, context TRACKING_B is created. The presence of the context will switch off the first regular expression for 60 seconds if any subsequent event "blah * blah B" arrives. After example event "blah A blah B" has arrived, we will also create an alias HAVE_SEEN_B_WITH_A which indicates that we have seen B with A (creating an alias instead of another context is useful, since TRACKING_B and HAVE_SEEN_B_WITH_A are supposed to exist exactly at the same time). Suppose now that second instance of "blah * blah B" event comes in. Note that the first regular expression is unable to match due to the presence of TRACKING_B. However, the second regular expression matches only if * is not A (since the presence of HAVE_SEEN_B_WITH_A prevents the match from occurring). For instance, if "blah C blah B" comes in, it matches, since HAVE_SEEN_B_WITH_C does not exist, and thus a string "we have observed B without A (instead A there was C)" gets written to standard output: type=Pair ptype=regexp pattern=blah (.+) blah (.+) context=!TRACKING_$2 desc=tracking second instance of $2 action=create TRACKING_$2 60; alias TRACKING_$2 HAVE_SEEN_$2_WITH_$1 ptype2=regexp pattern2=blah (.+) blah $2 context2=!HAVE_SEEN_%2_WITH_$1 desc2=we have observed %2 without %1 (instead %1 there was $1) action2=write - %s; delete TRACKING_%2 window=60 (Note that the lifetime of the Pair operation and the contexts is 60 seconds.) If you would like to achieve the same effect with Single rules, you could do something like: type=Single ptype=regexp pattern=blah (.+) blah (.+) context=!TRACKING_$2 desc=start tracking second instance of $2 without $1 action=create TRACKING_$2 60; alias TRACKING_$2 HAVE_SEEN_$2_WITH_$1 type=Single ptype=regexp pattern=blah (.+) blah (.+) context=TRACKING_$2 && !HAVE_SEEN_$2_WITH_$1 desc=we have observed $2 twice with different companions action=write - %s; delete TRACKING_$2 It is quite similar to previous Pair rule - you just can't get the name of first companion of B into the alarm (A, that is). I have to admit I like the second solution a bit more, since all correlation logic is presented as boolean expressions, and is thus easier to read. In your last post, I also noticed that you used ^ for negation inside the pattern2 field. That will not work unfortunately -- ^ works as a negation operator only inside square brackets [^...], but this construct matches *one* character only. If you want to negate a whole string, Perl regexp negative look-ahead or look-behind might do the trick. I my example, I haven't used it, but the first solution might be somewhat simpler with it: type=Pair ptype=regexp pattern=blah (.+) blah (.+) context=!TRACKING_$2 desc=tracking second instance of $2 action=create TRACKING_$2 60 ptype2=regexp pattern2=blah ((?!$1)\S+) blah $2 desc2=we have observed %2 without %1 (instead %1 there was $1) action2=write - %s; delete TRACKING_%2 window=60 Note that I haven't tested it fully, but after a quick test it seemed to work. hope this helps and is not too confusing :) risto On 10/01/2010 07:25 PM, Mike Rykowski wrote: > What I want to do is ignore subsequent messages if the mac and network > are the same. But if a subsequent message has the same network but > different mac then send email. > > So it seems I'd like to see your example solutions :) > > On Fri, 2010-10-01 at 19:17 +0300, Risto Vaarandi wrote: >> hi Mike, >> >> I have almost completed two possible example solutions to the problem, >> but after seeing your e-mail I have an inkling I've got the problem >> statement wrong :( >> So far I had an impression that you would like to do some clever >> pairwise correlation for events that are matched by (almost) identical >> regular expressions. (Just a note: if the expressions are almost the >> same, it is actually a bit tricky with Pair* rules.) >> However, from the example I've got an understanding that you would >> simply like to suppress duplicate alarms for within a given time window, >> provided that *both* the MAC address and the network are the same. Is my >> understanding correct? >> If so, you could try the following rule: >> >> type=SingleWithSuppress >> ptype=RegExp >> pattern=\S+\s+\S+\s+\S+\s+\S+ dhcpd: DHCPDISCOVER from (\S+) via \S+ >> network (\S+): no free leases >> desc=$2 no free leases for MAC $1 >> action=send email >> window=120 >> >> If I didn't get it quite right, I'll post my two example solutions :) > ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
