Hi,
The tools can do so many things, we are not clear what we would
like to do.
We will doing, for begining, some easy case.
Thanks for your code that work perfectly.
Best regards,
Ludovic.
Le 29/03/2011 11:40, Risto Vaarandi a écrit :
> Ludovic,
>
> there are several ways to address the problem, but it depends what
> exactly you would like to do.
> Do you want to keep track of different user names, and report current
> counters for all users once in X minutes, or do you rather want to send
> a report for each user after the user has been inactive for X minutes?
> For the latter case, you might want to try EventGroup rule with
> following parameters:
>
> type=EventGroup
> ptype=regexp
> pattern=ERROR.*User "(\S+)" attempted to authenticate
> count=lcall %ret $1 -> ( sub { ++$ucounts{$_[0]}; } ); \
> add USER_$1 $0
> desc=User $1 attempted to authenticate
> action=none
> multact=yes
> end=lcall %ret $1 -> ( sub { return delete $ucounts{$_[0]}; } ); \
> report USER_$1 mail -s 'User $1 %ret events seen' root; \
> delete USER_$1
> window=20
>
> Note that with this ruleset, the counters are implemented not as SEC
> variables, but as a Perl hash %ucounts. The 'multact' field of the rule
> has to be set to yes which forces the event correlation window sliding,
> until the last matching event is outside the window (in the case of this
> example this means that 20 seconds have elapsed from the last activity
> from a given user).
>
> kind regards,
> risto
>
> On 03/29/2011 11:22 AM, Ludovic Hutin wrote:
>> Hi again,
>>
>> After reading this documentation,
>> http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
>> It's said that variable are global. I would like to have a context variable.
>>
>> Doing something like that seems impossible : assign %count_$1 1
>>
>> The idea is to count the occurency of a pattern and send a report every
>> x hours.
>>
>> type=single
>> continue=takenext
>> ptype=regexp
>> pattern=ERROR.*User “(\S+)” attempted to authenticate
>> context = !NB_APPARITION_$1
>> desc=First appartion for user $1
>> action= create NB_APPARITION_$1 0; assign %count 1
>>
>> type=single
>> continue=takenext
>> ptype=regexp
>> pattern=ERROR.*User “(\S+)” attempted to authenticate
>> context=NB_APPARITION_$1
>> desc=%count apparition for user $1
>> action=eval %count ( %count + 1) ; add NB_APPARITION_$1 0; set
>> NB_APPARITION_$1 30 \
>> (report NB_APPARITION_$1 /bin/echo 'Login : $1 Nb - connexion : %count'
>> >> result.txt)
>>
>> Best Regards,
>> Ludovic.
>>
>> Le 28/03/2011 16:42, Ludovic Hutin a écrit :
>>> Hello,
>>>
>>> I am new with the extraordinary tools SEC
>>> I would like to do a thinks like that, in my log file i got that
>>>
>>> ERROR User toto something wrong ...
>>> ERROR User tita something wrong ...
>>> ERROR User tutu something wrong ...
>>> ERROR User tita something wrong ...
>>> ERROR User toto something wrong ...
>>> ERROR User tita something wrong ...
>>>
>>> I would like to count the number of occurency for each user and
>>> send a report atfer X minute we don't see the occurency of the user.
>>>
>>> type=single
>>> continue=takenext
>>> ptype=regexp
>>> pattern=ERROR.*User (\S+) something wrong
>>> context = !NB_APPARITION_$1
>>> desc=First apparition for user $1
>>> action= create NB_APPARITION_$1 0; assign %nbapparition 1
>>>
>>> type=single
>>> continue=takenext
>>> ptype=regexp
>>> pattern=ERROR.*User (\S+) something wrong
>>> context=NB_APPARITION_$1
>>> desc=%nbapparition error for user $1
>>> action=eval %nbapparition ( %nbapparition + 1) ; add
>>> NB_APPARITION_$1 $0; set NB_APPARITION_$1 1800 \
>>> (report NB_APPARITION_$1 /bin/echo 'Login : $1 Nb - connexion :
>>> %nbapparition'>> result.txt)
>>>
>>> I dunno what's wrong, if someone got an idea.
>>>
>>> Thanks in advance for helping.
>>> Ludovic.
>>>
>>> ------------------------------------------------------------------------------
>>> Enable your software for Intel(R) Active Management Technology to meet the
>>> growing manageability and security demands of your customers. Businesses
>>> are taking advantage of Intel(R) vPro (TM) technology - will your software
>>> be a part of the solution? Download the Intel(R) Manageability Checker
>>> today! http://p.sf.net/sfu/intel-dev2devmar
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> Simple-evcorr-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>
> ------------------------------------------------------------------------------
> Enable your software for Intel(R) Active Management Technology to meet the
> growing manageability and security demands of your customers. Businesses
> are taking advantage of Intel(R) vPro (TM) technology - will your software
> be a part of the solution? Download the Intel(R) Manageability Checker
> today! http://p.sf.net/sfu/intel-dev2devmar
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
- - - - - - - - - - - - - - -
Ludovic Hutin
Pôle Supervision
Académie de Nancy-Metz
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
