Hi Risto, thank you very much for the clarification. I thought in this direction but I was not sure, how and why the warning is logged.
If I will be asked, I would say that a command line switch to sec would be nice where you can switch on or off the "warning behaviour". But I would assign that a very low priority... Best Regards, Tom Zitat von Risto Vaarandi <risto.vaara...@seb.ee>: > hi Thomas, > > these error messages are actually not caused by the rule below, but > rather by other rules which employ the %n variable. > > When SEC loads its rules, all paths to external programs are checked and > if the program is not found, a warning message is logged. In your case, > you have of course specified the full path, thus finding the program > would not be an issue. But unfortunately the assignment to %n variable > happens at run time, after rules have already been loaded. Therefore, > when a SEC loads a rule, it is impossible to verify if %n will contain a > valid program name at run time. For this reason, SEC logs this warning > (the warning is also logged for programs not given with full paths and > not found relative from the current directory, even if they are later > successfully found due to proper settings of the PATH environment variable). > > In the past, some people have argued against this message, while it was > originally introduced at the request of other users. If this warning is > annoying for the majority of the users, it is not a problem for me to > remove it from the code. > > kind regards, > risto > > On 09/30/2011 12:12 PM, Thomas Wollner wrote: >> Hello List, >> >> I have the following SEC rule: >> >> type=single >> desc=input facts file >> ptype=regexp >> continue=TakeNext >> pattern=^SEC_STARTUP$|^SEC_RESTART$|^SEC_SOFTRESTART$ >> action=assign %n /opt/sec/tools/mytool.sh; \ >> >> >> upon starting or reloading the SEC process I receive the following >> warning message in my sec.log >> >> sec.pl[20304]: Rule in /opt/sec/rules/cisco.rule at line 887: >> Warning - could not find '%%n' >> >> I receive the warning message foreach use of the assigned %n. >> >> Everything works as expected, but the warning messages appear every >> time I reload or restart my SEC process. >> >> I`m using sec 2.6.1 on debian 6.0 (amd64) with perl 5.10.1. >> >> Any ideas? >> >> Thank you in advance, >> >> Best regards, >> >> Tom >> >> >> >> >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> >> >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> http://p.sf.net/sfu/splunk-d2dcopy2 >> _______________________________________________ >> Simple-evcorr-users mailing list >> Simple-evcorr-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >> > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2dcopy2 > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
