Thanks John. I was thinking along those lines, but hadn't quite figured out what code to use.
-----Original Message----- From: John P. Rouillard [mailto:rou...@cs.umb.edu] Sent: Wednesday, February 06, 2013 10:40 AM To: Simple-evcorr-users Subject: Re: [Simple-evcorr-users] Using environment variable in write within rules. In message <cagfjscomw-dewxplqsjmaikj+qbtrpobnpb-1_dzfbydg13...@mail.gmail.com> , Risto Vaarandi writes: >2013/2/6 Boyles, Gary P <gary.p.boy...@intel.com>: >> I've been trying to get an environment-variable to work in a write >> statement, and it doesn'tseem to work. >> >> This Does Not: >> ============ >> >> type=Single >> continue=DontCont >> ptype=RegExp >> pattern=(\d+)\s+::\s+(\S+)\s+::\s+(\S+)\s+::\s+(\S+)\s+::\s+(UNKNOWN).*$ >> desc=SUPPRESS_UNKNOWN_SEV_EVENTS_FROM_NODE::$2 >> action=write $SEC_LOG/sec.suppress.log %u %s >> >> Prior to starting script I define and export SEC_LOG >> >environment variables are a concept related to a UNIX shell, and >inside sec they are not visible. Of course, if you trigger command >lines from sec which get interpreted by the shell, the environment >variables make sense again [...] >However, the 'write' action does not involve any execution of an >external command line which would somehow make this action >interpretable by the shell, and therefore the environment variables >are just treated as literary strings. What you can do is to use perl to assign sec action variable to the value of an environment variable. E.G. Something like: action = eval %SECLOG ($main::ENV{'SEC_LOG'}); \ write %{SECLOG}/sec.suppress.log ... I think would work. -- -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users