The file attached is for DNS, not DHCP.
Events are timed when they come in to SEC, not when they come in to the log
file. If you spawn a dump of the log file which contains 1 entry per hour
for 24 hours; SEC will see 24 events come in immediately. It cannot parse
the log file for the time the event came in.
If you include your DHCP sec.cfg, we might be better able to help.
--
Justin J. Novack
Official Disturber of the Peace
On Wed, Nov 9, 2011 at 10:25 PM, Tim Peiffer <peif...@umn.edu> wrote:
> I am trying to instrument sections on our network where various protocol
> chat dialog is missing. In the atttached example case, I am looking at
> DHCP, and the transition between the broadcast discovery and the actual
> leasing. That is to say, the client did hear an OFFER and emit a REQUEST.
>
> I am trying to trigger or arm a notice once the loss becomes greater than
> say 20 losses within an hour for a particular server/ip/mac tuple, and
> disarm once there have been zero losses within an hour.
>
> I wrote a config and something seems wrong. It takes about 40-50 some
> events to trigger the 'repeated loss' event within an hour. The whole
> process seems spongy. I send in 20 events rapid fire, and I receive 12
> events signalling loss. Can you all recommend a config that would be more
> responsive and more deterministic?
>
> --
> Tim Peiffer
> Network Support Engineer
> Office of Information Technology
> University of Minnesota/NorthernLights GigaPOP
>
> +1 612 626-7884 (desk)
>
>
>
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
