In message <alpine.deb.2.02.1210180010080.3...@asgard.lang.hm>,
da...@lang.hm writes:
>On Thu, 18 Oct 2012, Paul Sun wrote:
>> Is there any other way?
>not really.
>
>You are telling SEC to ignore duplicates that happen within 60 seconds.
>[...]
>Remember that the desc field isn't anything that a person will ever see
>(other than an admin looking at a dump), it's strictly something for SEC
>to use to decide what items that match the patters should be kept separate
>from each other.
Except that he is using %s in his shellcmd action statement. I usually
discourage using %s myself for just this reason. Desc really should be
treated as a description for SEC and the SEC maintainer not the output
you want normal humans to see.
Move your desc string to replace %s in the shellcmd statement. $1, $2
... are substituted in the action keyword, so you can move the entire
current desc statment to replace %s.
>so your desc line of:
>
>desc=diameterBeClient$2 - NOTICE: {$3} Com: Open for application service via
> peer '$4'. A connection to a peer has reached the \"Open\" state and is now
> available for application usage
>
>is really no better than
>
>desc=connection open $2 $3 $4
I do like to label the fields at least as doumentation of what values
should be substituted.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
