On 12/14/2011 04:19 PM, mindman101 wrote: > Hi Risto, > > Thanks for your answer, you've got the idea. > > However, I still have a final doubt. > > The association among root cause and its son events are both IP and device > name. So, the Single rule and the Eventgroup rule type work fine from your > example but the second one requires that each event arrives at least once. > > How would you apply a rule like Eventgroup but without needing all events > arrive at least once? I mean, the root cause must trigger the context for the > son events (the Single rule) but it's desired that the Eventgroup rule match > with one, two or more events. > > For example, I'll call the root cause as P1 and its son events as S1, S2 and > S3, then the idea is to match and report the following occurrences: > > P1 -> S1 or > P1 -> S3& S2 or > P1 -> S2& S3& S1 or > any other combination > > Cheers, > > Gaoke >
I would address this problem with the following rule logic: 1) have a rule which matches P1 event with Single rule and creates a context for the host name and interface name (for example, PROBLEM_host12_eth3). Set the context lifetime to N seconds and action-on-expire to something that reports the context event store. N is the window for capturing P1 and optional S1, S2 and S3 that might follow. Finally, add P1 to the context as the first event. 2) have three Single rules which match S1, S2 and S3 events if the context PROBLEM_ exists for a given host name and interface name. Each time there is a match, the event is added to the context. Since in the first rule you have configured reporting the context, P1 and optional follow-up events S* will get reported after N seconds. In the SEC FAQ, there is an example which follows this thinking quite closely: http://simple-evcorr.sourceforge.net/FAQ.html#17 Although it is written for events of one type only, I think it is straightforward to extend it for several event types, given the examples you already have from previous posts. HTH, risto > > ------------------------------------------------------------------------------ > Cloud Computing - Latest Buzzword or a Glimpse of the Future? > This paper surveys cloud computing today: What are the benefits? > Why are businesses embracing it? What are its payoffs and pitfalls? > http://www.accelacomm.com/jaw/sdnl/114/51425149/ > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Cloud Computing - Latest Buzzword or a Glimpse of the Future? This paper surveys cloud computing today: What are the benefits? Why are businesses embracing it? What are its payoffs and pitfalls? http://www.accelacomm.com/jaw/sdnl/114/51425149/ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
