Re: [Simple-evcorr-users] Few questions

Wed, 15 Jun 2011 00:56:46 -0700 

Hi,

     Thanks !!
     It's works perfect !

Ludovic.

Le 14/06/2011 21:08, Risto Vaarandi a écrit :
> 2011/6/14 Ludovic Hutin<ludovic.hu...@ac-nancy-metz.fr>:
>> Hi,
>>
>>      I need help (again)...
>>
>>      I got many entry like PATTERN1(time) PATTERN2(username) PATTERN3(ip)
>>      I want to log in a file unique ip of a user with a timeout of 10mn
>>
>>      12h20    USERA    10.10.10.10 =>  this entry have to be log. (with a
>> action=write directive)
>>      12h21    USERA    10.10.10.10 =>  This one is no need (counter is
>> reset to 10mn)
>>      12h25    USERA    10.10.10.10 =>  This one is no need (counter is
>> reset to 10mn)
>>      12h46    USERA    10.10.10.10 =>  Timeout of 10mn exceed, we log again
>>
>>      And for more fun, i have many many user
>>
>>      What is the best way to do that ?
> Try SingleWithSuppress rule with a window of 600 seconds, for example:
>
> type=SingleWithSuppress
> ptype=RegExp
> pattern=(\S+) ([\d.]+)
> desc=User  $1 logged in from $2
> action=write - %s
> window=600
>
> Note that this rule will suppress repeated messages for the same user
> AND the same IP for 10 minutes. If you would like to suppress repeated
> messages for the same user name, regardless of the address, remove the
> $2 variable from the 'desc' field, e.g., desc=User $1 login
> (The man page section
> http://simple-evcorr.sourceforge.net/man.html#EVENT%20CORRELATION%20OPERATIONS
> contains a detailed discussion how the 'desc' field of a rule
> influences the scope of event correlation.)
>
> HTH,
> risto
>
>>      After that, i want to correlate with an existing EventGroup, but
>> it's an other story ;)
>>
>> Best regards,
>> Ludovic.
>>
>> ------------------------------------------------------------------------------
>> EditLive Enterprise is the world's most technically advanced content
>> authoring tool. Experience the power of Track Changes, Inline Image
>> Editing and ensure content is compliant with Accessibility Checking.
>> http://p.sf.net/sfu/ephox-dev2dev
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to