Hi,
Thanks for the answers, i have to look for the way of my log file,
they are redirected from one to other host. I think i got some buffer
who send some paquets at the same time.
Perfect for multact, it's exactly what i want !
You're the best !
Ludovic.
Le 13/06/2011 12:22, Risto Vaarandi a écrit :
> hi Ludovic,
> here are quick answers to your questions.
> The %t variable is set according to the clock of the node where SEC is
> running. However, the timestamps of log messages are often set by the
> network node which emitted the messages. Therefore, the value of %t
> variable can differ from the timestamp taken from the log file message.
> Even if clocks are synchronized across all network nodes, message
> transmission might still take time, and thus you might experience
> occasional differences.
> As for your second question, if you don't want to get an e-mail after
> each event above threshold, set 'multact' to 'no' or delete 'multact'
> field from rule definition (default value for 'multact' is 'no').
> hope this helps,
> risto
>
> On 06/10/2011 11:48 AM, Ludovic Hutin wrote:
>> Hi all,
>>
>> We using sec for some correlation log with this configuration :
>>
>> type=EventGroup
>> ptype=regexp
>> pattern=ERROR,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),(PATTERN_A|PATTERN_B|PATTERN_C|PATTERN_D|PATTERN_E|PATTERN_F|PATTERN_G|PATTERN_H[^,]*|PATTERN_I),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)
>> count=lcall %ret $13 -> ( sub { ++$ucounts{$_[0]}; } ); \
>> write /logs/result/$13.login %t $8 ; \
>> add USER_$13 $0
>> desc=User $13 appear
>> action=pipe 'sendMail' /root/sendMail.pl $13 ;
>> multact=yes
>> end=lcall %ret $13 -> ( sub { return delete $ucounts{$_[0]}; } ); \
>> report USER_$13 /bin/echo %t $13 %ret>> /logs/result.txt; \
>> delete USER_$13
>> window=1800
>> thresh=4
>>
>> It's work perfect, and we got some email when a user generate 4 entry
>> during 30mn.
>>
>> First question :
>>
>> Il got some interrogation about the first %t value in the count
>> directive, when i look my file, i always see the same time
>>
>> Exemple :
>> ...
>> Fri Jun 10 10:08:37 2011 PATTERN_A
>> Fri Jun 10 10:08:37 2011 PATTERN_A
>> Fri Jun 10 10:08:37 2011 PATTERN_A
>> Fri Jun 10 10:08:49 2011 PATTERN_A
>> Fri Jun 10 10:08:49 2011 PATTERN_A
>> Fri Jun 10 10:08:49 2011 PATTERN_A
>> ...
>>
>> The events don't come at the same time in the source log file.
>> it's normal that the time is change ? i do something wrong ?
>>
>> Second question :
>>
>> If a 5,6,7... event appear for the same user during the 30mn, i receive
>> a second, third, four.. mail.
>> I would like to receive only one mail during the window time. It's
>> possible with the EventGroup Rules ?
>>
>> I hope my english is not to bad ;)
>>
>>
>> Ludovic.
>>
>> ------------------------------------------------------------------------------
>> EditLive Enterprise is the world's most technically advanced content
>> authoring tool. Experience the power of Track Changes, Inline Image
>> Editing and ensure content is compliant with Accessibility Checking.
>> http://p.sf.net/sfu/ephox-dev2dev
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
