hi Gary, environment variables are a concept related to a UNIX shell, and inside sec they are not visible. Of course, if you trigger command lines from sec which get interpreted by the shell, the environment variables make sense again. For example,
env MYVAR="this is a test" sec-2.7.0/sec -conf=test.sec -input=- would start sec with MYVAR set to "this is a test", and an action shellcmd echo $MYVAR would write the string "this is a test" to standard output. However, the 'write' action does not involve any execution of an external command line which would somehow make this action interpretable by the shell, and therefore the environment variables are just treated as literary strings. hope this helps, risto 2013/2/6 Boyles, Gary P <gary.p.boy...@intel.com>: > Hi, > > > > I’ve been trying to get an environment-variable to work in a write > statement, and it doesn’t seem to work. > > > > This is on Ubuntu. > > > > Should this work somehow? > > > > Thanks. > > > > This works: > > ========= > > type=Single > > continue=DontCont > > ptype=RegExp > > pattern=(\d+)\s+::\s+(\S+)\s+::\s+(\S+)\s+::\s+(\S+)\s+::\s+(UNKNOWN).*$ > > desc=SUPPRESS_UNKNOWN_SEV_EVENTS_FROM_NODE::$2 > > action=write /sec/log/sec.suppress.log %u %s > > > > > > This Does Not: > > ============ > > type=Single > > continue=DontCont > > ptype=RegExp > > pattern=(\d+)\s+::\s+(\S+)\s+::\s+(\S+)\s+::\s+(\S+)\s+::\s+(UNKNOWN).*$ > > desc=SUPPRESS_UNKNOWN_SEV_EVENTS_FROM_NODE::$2 > > action=write $SEC_LOG/sec.suppress.log %u %s > > > > > > Prior to starting script I define and export SEC_LOG > > > > Thanks for the help. > > > ------------------------------------------------------------------------------ > Free Next-Gen Firewall Hardware Offer > Buy your Sophos next-gen firewall before the end March 2013 > and get the hardware for free! Learn more. > http://p.sf.net/sfu/sophos-d2d-feb > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users