hi,
and sorry for not being able to answer yesterday :(
There is an easy explanation to the issue. The %<alnum> variables (which
are created by SEC actions) can only be used in action lists, while the
$<num> and %<num> match variables (created by patterns) work across
entire rule definition. However, %<alnum> variables have the advantage
of being visible across all rules. There are several reasons for this --
some %<alnum> variables might not have a value yet when certain parts of
the rule are processed (most notably %s); also, some values might not
make sense at all (like function pointers). It would also make pattern
handling much more complex.
For the rules you are having, I actually see no reason to employ
%<alnum> variables, since regular match variables are enough for
handling the case. I made a couple of very minor corrections to the
rules (hopefully I was able to understand the true meaning of the rules
properly). I only removed the setting of %h variable from Rule1, and
also changed the 'context' field of Rule3 (previously this field
contained a regular expression, but one can only use Boolean expressions
in this field):
type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(CRITICAL);(HARD|SOFT);(\d).+$
context=!$1-MMSD-$2-$3
desc=Fault-event:
action=create $1-MMSD-$2-$3; \
write /usr/local/etc/SEC_Log_Pipe [%u] %s %h-MMSD-$2-CRITICAL
is $3; \
event $1-MMSD-Service-Problem;
type=single
ptype=regexp
pattern=^(\w+)-MMSD-Service-Problem
context=$1-MMSD-mm_error-CRITICAL && $1-MMSD-mq_error-CRITICAL &&
$1-MMSD-ms_error-CRITICAL
desc=Problem Detected:
action= write - [%t] %s; \
write /usr/local/etc/SEC_Log_Pipe [%u] %s %h-MMSD-Service;
type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(OK);(HARD|SOFT);(\d).+$
desc=OK event received: removing context $1-MMSD-$2-$3
context=$1-MMSD-$2-CRITICAL
action=write %s; \
delete $1-MMSD-$2-CRITICAL
kind regards,
risto
On 11/05/2010 12:28 PM, M Haris Farooque wrote:
>
>> hi all,
>> *Sorry I made a Typo mistake in my previous mail.*
>>
>> I am having a slight problem may be some of you can just take a look
>> and figure it out.
>> I am assigning a some value to a variable using eval in Rule 1. and
>> then using the same value all over in other rule set.
>>
>> but i m not sure why other rules is not able to recognize the pattern.
>> following are the rules;
>>
>> rule 1:
>> --------
>>
>> type=Single
>> ptype=regexp
>> pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*CRITICAL*);(HARD|SOFT);(\d).+$
>> context=!$1-MMSD-$2-$3
>> desc=Fault-event:
>> action=create $1-MMSD-$2-$3; \
>> *eval %h ( $h = "$1"); \*
>> write /usr/local/etc/SEC_Log_Pipe [%u] %s %h-MMSD-$2-CRITICAL
>> is $3; \
>> event *%h-MMSD-Service-Problem*;
>>
>> ### $1 = hostname, $2=fault, $3=flag (i.e. CRITICAL)
>>
>> rule 2:
>> --------
>> type=single
>> ptype=substr
>> pattern=*%h-MMSD-Service-Problem*
>> context=*%h-*MMSD-mm_error-CRITICAL && *%h*-MMSD-mq_error-CRITICAL &&
>> *%h*-MMSD-ms_error-CRITICAL
>> desc=Problem Detected:
>> action= write - [%t] %s; \
>> write /usr/local/etc/SEC_Log_Pipe [%u] %s *%h*-MMSD-Service;
>>
>> rule 3:
>> ----------
>> type=Single
>> ptype=regexp
>> pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*OK*);(HARD|SOFT);(\d).+$
>> desc=OK event received: removing context %h-MMSD-$2-$3
>> context=*%h*-MMSD-$2-CRITICAL
>> action=write %s; \
>> delete %h-MMSD-$2-CRITICAL;
>> ###########################################################
>>
>> for given sample data it only matches Rule 1 but never matches Rule 2
>> or Rule 3.
>>
>> Sample Input Data:
>> -----------------------------
>> [1284336000] CURRENT SERVICE STATE:
>> cmtest01;mm_eror;CRITICAL;HARD;1;Agent Service
>> [1284336000] CURRENT SERVICE STATE:
>> cmtest01;mq_eror;CRITICAL;HARD;1;Agent Service
>> [1284336000] CURRENT SERVICE STATE:
>> cmtest01;ms_eror;CRITICAL;HARD;1;Agent Service
>> # after this all contexts has been created and Rule 2
>> should be applied, but this is not happening here
>>
>> [1284336000] CURRENT SERVICE STATE: cmtest01;mm_eror;OK;HARD;1;Agent
>> Service
>> [1284336000] CURRENT SERVICE STATE: cmtest01;mq_eror;OK;HARD;1;Agent
>> Service
>> [1284336000] CURRENT SERVICE STATE: cmtest01;ms_eror;OK;HARD;1;Agent
>> Service
>> # rule 3 should execute, but again eventually this is
>> not happeining in this case
>>
>>
>> note: %h is cmtest01 (hostname)
>>
>>
>> if instead of using %h, I place 'cmtest01' then everthing works fine.
>>
>> can anybody suggest what is wrong here.
>>
>> thanks and regards
>> --
>>
>> Kind Reagrds/Mit freundlichen Grüßen
>>
>> M Haris Farooque
>>
>>
>> ------------------------------------------------------------------------------
>> The Next 800 Companies to Lead America's Growth: New Video Whitepaper
>> David G. Thomson, author of the best-selling book "Blueprint to a
>> Billion" shares his insights and actions to help propel your
>> business during the next growth cycle. Listen Now!
>> http://p.sf.net/sfu/SAP-dev2dev
>>
>>
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> Ok I managed to fixed it but I am still not sure with SEC behaviour in
> treating internal Variable. In my Rule 2 and Rule 3, i made one change
> and it starts working as it should be. the changes I made are
> highlighted in '*GREEN*'
>
> Rule 2:
> ---------
>
> type=single
> ptype=*regexp*
> pattern=*^(\w+)-MMSD-Service-Problem*
> context=*$1-*MMSD-mm_error-CRITICAL && **$1**-MMSD-mq_error-CRITICAL &&
> *$1*-MMSD-ms_error-CRITICAL
> desc=Problem Detected:
> action= write - [%t] %s; \
> write /usr/local/etc/SEC_Log_Pipe [%u] %s *%h*-MMSD-Service;
>
> rule 3:
> ----------
> type=Single
> ptype=regexp
> pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*OK*);(HARD|SOFT);(\d).+$
> desc=OK event received: removing context $1-MMSD-$2-$3
> context=**^(\w+)**-MMSD-$2-CRITICAL
> action=write %s; \
> delete %h-MMSD-$2-CRITICAL; ## Delete Context with %h. its
> Working but ???
>
>
> If the scope of the Variable is extened across different rules and
> across different files then why here it is not able to retrieve the
> value of '%h'. it is surprising that, In Rule 3, I am still able to
> delete the context by using %h.
> --
>
> Kind Reagrds/Mit freundlichen Grüßen
>
> M Haris Farooque
>
>
>
> ------------------------------------------------------------------------------
> The Next 800 Companies to Lead America's Growth: New Video Whitepaper
> David G. Thomson, author of the best-selling book "Blueprint to a
> Billion" shares his insights and actions to help propel your
> business during the next growth cycle. Listen Now!
> http://p.sf.net/sfu/SAP-dev2dev
>
>
>
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a
Billion" shares his insights and actions to help propel your
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
