Hi again, After reading this documentation, http://sixshooter.v6.thrupoint.net/SEC-examples/article.html It's said that variable are global. I would like to have a context variable.
Doing something like that seems impossible : assign %count_$1 1 The idea is to count the occurency of a pattern and send a report every x hours. type=single continue=takenext ptype=regexp pattern=ERROR.*User “(\S+)” attempted to authenticate context = !NB_APPARITION_$1 desc=First appartion for user $1 action= create NB_APPARITION_$1 0; assign %count 1 type=single continue=takenext ptype=regexp pattern=ERROR.*User “(\S+)” attempted to authenticate context=NB_APPARITION_$1 desc=%count apparition for user $1 action=eval %count ( %count + 1) ; add NB_APPARITION_$1 0; set NB_APPARITION_$1 30 \ (report NB_APPARITION_$1 /bin/echo 'Login : $1 Nb - connexion : %count' >> result.txt) Best Regards, Ludovic. Le 28/03/2011 16:42, Ludovic Hutin a écrit : > Hello, > > I am new with the extraordinary tools SEC > I would like to do a thinks like that, in my log file i got that > > ERROR User toto something wrong ... > ERROR User tita something wrong ... > ERROR User tutu something wrong ... > ERROR User tita something wrong ... > ERROR User toto something wrong ... > ERROR User tita something wrong ... > > I would like to count the number of occurency for each user and > send a report atfer X minute we don't see the occurency of the user. > > type=single > continue=takenext > ptype=regexp > pattern=ERROR.*User (\S+) something wrong > context = !NB_APPARITION_$1 > desc=First apparition for user $1 > action= create NB_APPARITION_$1 0; assign %nbapparition 1 > > type=single > continue=takenext > ptype=regexp > pattern=ERROR.*User (\S+) something wrong > context=NB_APPARITION_$1 > desc=%nbapparition error for user $1 > action=eval %nbapparition ( %nbapparition + 1) ; add > NB_APPARITION_$1 $0; set NB_APPARITION_$1 1800 \ > (report NB_APPARITION_$1 /bin/echo 'Login : $1 Nb - connexion : > %nbapparition'>> result.txt) > > I dunno what's wrong, if someone got an idea. > > Thanks in advance for helping. > Ludovic. > > ------------------------------------------------------------------------------ > Enable your software for Intel(R) Active Management Technology to meet the > growing manageability and security demands of your customers. Businesses > are taking advantage of Intel(R) vPro (TM) technology - will your software > be a part of the solution? Download the Intel(R) Manageability Checker > today! http://p.sf.net/sfu/intel-dev2devmar > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users -- - - - - - - - - - - - - - - - Ludovic Hutin Pôle Supervision Académie de Nancy-Metz 03 83 86 27 39 ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
