Hi Risto,
thank you for the encouraging pat on the back ;)
I'm taking a closer look at the documentation and the tutorial from
Jim Brown (nice document) at the moment.
But I'm still not able to solve my problem. Here is a rule set that:
- saves "IP not reachable" messages in a context
- deletes the IP from the context if the server is reachable again
- reports all context entries if you send a "ReportMe" message to SEC
###################################################################
# One of the sources is not reachable
#
# Sample log message:
#
# Source 193.124.4.177 offline
#
# Add the IP to the context SOURCE_STATUS
#
###############
type=Single
ptype=RegExp
pattern=Source (.*) offline
desc=Add the IP to the context SOURCE_STATUS
action=add SOURCE_STATUS $1
##################################################################
#
# One of the sources is reachable again
#
# Sample log message:
#
# Source 86.57.151.18 online
#
# Remove the IP from the context SOURCE_STATUS
#
###############
type=Single
ptype=RegExp
pattern=Source (.*) online
desc=Remove the IP from the context SOURCE_STATUS
action=eval %funcptr ( sub { my(@buf) = split(/\n/, $_[0]); \
my(@ret) = grep(!/$1/, @buf); return @ret; } ); \
copy SOURCE_STATUS %in; call %out %funcptr %in; \
fill SOURCE_STATUS %out
##################################################################
#
# Pattern 'ReportMe' executes the report action
#
###############
type=Single
ptype=RegExp
pattern=ReportMe
context=SOURCE_STATUS
desc=$0
action=report SOURCE_STATUS /bin/cat
##################################################################
#
# End
#
###############
Now I feed SEC with these messages:
Source AAA offline
Source BBB offline
Source CCC offline
Source AAA online
Source BBB online
Source CCC online
3 servers are offline and than online again. The result should be an empty
context ... But "CCC" is still there. Even sending another:
Source CCC online
does not clear the context ... Strange. Don't know what I'm doing wrong.
Thanks,
-Ralf-
>From "Risto Vaarandi" <risto.vaara...@gmail.com>:
>> Hi Risto,
>>
>> arghhh ... the solution for my problem is even in the man page :(
>>
>> Changing "C1" and "/^#/" -> ready to go
>>
>> Well ... that means ... I'm the winner of the 2011 "Did not RTFM" award.
>
>No problem. The man page has become quite large over the years, and
>although I attempted to rewrite and shorten it for 2.6 version, the
>word "page" (in singular) is highly misleading :) In fact, we are
>talking about 35 pages (at least that's the result with groff -T ps
>-man), so it's a larger whitepaper. And it is impossible to
>permanently memorize all details you have read from such a document :)
>regards,
>risto
>
>>
>> Thank you,
>>
>> -Ralf-
>>
>>
>>
>> From "Risto Vaarandi" <risto.vaara...@gmail.com>:
>>
>>>hi Ralf,
>>>although there is no separate action for this purpose, the context
>>>event store can be filtered in various ways through several actions. I
>>>would assign the event store to an action list variable, pass this
>>>variable to a Perl code for filtering, and assign the result back to
>>>the context event store. Here is one example (taken from SEC man
>>>page):
>>>
>>>eval %funcptr ( sub { my(@buf) = split(/\n/, $_[0]); \
>>>my(@ret) = grep(!/^#/, @buf); return @ret; } ); \
>>>copy C1 %in; call %out %funcptr %in; fill C1 %out
>>>
>>>If filtering is designed to be done only in one place, using the newer
>>>'lcall' action would be even shorter.
>>>regards,
>>>risto
>>>
>>
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
