Re: [Simple-evcorr-users] SEC-2.7.alpha1

Mon, 26 Nov 2012 08:37:46 -0800 

In message <50b33ca3.7050...@seb.ee>,
Risto Vaarandi writes:
>the first alpha version of SEC-2.7 has been released and is available at 
>http://sourceforge.net/projects/simple-evcorr/files/sec/2.7.alpha1/sec-2.7.a
>lpha1.tar.gz/download

Good news.

>It has quite many new features, including 14 new actions which allow for 
>more advanced operations on contexts, but also conditional execution 
>with if-action and loops with while-action.

Ooh nice.

>PerlFunc patterns have been augmented with an opportunity to set named 
>match variables. For all pattern types which set match variables, 
>previously cached matches can be accessed with $:{entry:var} syntax. 

Will this allow the incremental parsing I was discussing on the list?

  type = single
  cont = takenext
  desc = parse standard syslog info
  rem = 2011-11-06T00:29:07.388514+00:00 rtr01 sshd[3456]:
  ptype = regexp
  pattern = '^.{32} (\w+) (\w+)\[(\d+)\]:
  varmap = syslog; host=1; service=2; pid=3; line=0
  action = none


  type = single
  desc = log all rtr1 failing sshd entries
  ptype = substr
  pattern = fail
  context = =($:{syslog:host} eq "rtr01")
  action = write sshd_failure_log $:{syslog:line}

will do the "right thing" 8-). Also will this work if they are in two
different files (e.g. if the first rule resulted in a jump to say
$2_rules.sr).

>Not all features which I had in mind or which were discussed in the 
>mailing list were implemented. In fact, when writing the first alpha 
>release, I created 3-4 different implementations with different feature 
>sets enabled, and benchmarked them against larger event volumes. The 
>testing clearly revealed that some features would decrease the 
>performance of the tool by 10-15%, and enabling them all would impose a 
>hard penalty on all users. Therefore I opted a more conservative 
>approach and implemented only those things which add true value to the 
>end user without sacrificing performance.

Is there a chnagelog and examples available separately from the
download so I know what new things to look for?

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to