Re: [Simple-evcorr-users] Filtering duplicate events

Tue, 26 Jul 2011 07:50:44 -0700

How are you invoking SEC? what's the command line yo use to start it?

Cheers!

John G.

Date: Tue, 26 Jul 2011 15:51:01 +0200
From: Elia Mariani <chaotic.eng...@gmail.com>
Subject: [Simple-evcorr-users] Filtering duplicate events
To: simple-evcorr-users@lists.sourceforge.net
Message-ID:
<caopnse8fvrw9qxhb3zmj4r6+asaadm2mzt__tk-9+sn1gj5...@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hello,

I am trying to learn using SEC and I have encountered the following problem:

I am monitoring a text file with the following simplified rule:

type=Single
ptype=RegExp
pattern=foo\s+(\S+)
desc=$0
action="">
Everytime the file is updated, SEC processes it from the start, firing rules
that were already fired before. For example, when I am monitoring a file
that track users logins, everytime a new user logs in, SEC processes the
entire files, executing actions for every login entry. Even for those whose
action has already been executed before.

I would like to know if it is possible to make SEC fire rules only for new
events.

Thanks for the help.
-------------- next part --------------
An HTML attachment was scrubbed...

------------------------------

------------------------------------------------------------------------------
Magic Quadrant for Content-Aware Data Loss Prevention
Research study explores the data loss prevention market. Includes in-depth
analysis on the changes within the DLP market, and the criteria used to
evaluate the strengths and weaknesses of these DLP solutions.
http://www.accelacomm.com/jaw/sfnl/114/51385063/

------------------------------

_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users


End of Simple-evcorr-users Digest, Vol 60, Issue 1
**************************************************
 
------------------------------------------------------------------------------
Magic Quadrant for Content-Aware Data Loss Prevention
Research study explores the data loss prevention market. Includes in-depth
analysis on the changes within the DLP market, and the criteria used to
evaluate the strengths and weaknesses of these DLP solutions.
http://www.accelacomm.com/jaw/sfnl/114/51385063/
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to