Risto Vaarandi wrote: > As I understand, you would like to do some sort of balance checking if > every foo has a corresponding bar? The event correlation operations > that Pair and PairWithWindow rules trigger actually consume repeated > instances of the first event silently (in your case foo). In the case > of your rule, mail will only be sent if no "bar" appears at all within > 2 seconds after "foo".
Hmm. That's actually not the behavior I'm seeing. I logged 3 foos followed by 3 bars, all within one second, and was sent a notification. > My question -- do those events have identifiers which tell which bar > belongs to which foo? If so, then it would be easy to modify this rule > -- you would have to match the identifier with the regexp and use it > the event correlation key (set by the 'desc' field). > However, if there are no such identifiers and you wish to perform > counting based balance checking, the task becomes not so simple and > can be solved with some Perl statements imbedded in SEC rules. Yeah, unfortunately there's no unique IDs or anything useful like that. The real log lines are nearly as generic as my example. The foo and corresponding bar will always be within a second or two, dunno if that helps or hurts. ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
