hi Gary,
I have to say that the rule looks quite complex. Maybe it's a better idea
to split the logic into two rules? First rule could be the one what you
proposed in the beginning of the thread (the one which decreases the
severity for a given class). However, the second rule would do counting for
events of interest, and would set up a context if two events from different
sources have been seen. In order to do counting, so that each counter
increment happens for a unique event, I would propose to use the EventGroup
rule. In fact, the introduction of the SEC man page contains a relevant
example for SSH login failures. Let me provide a slightly modified part
from the example:
type=EventGroup
init=create USER_COUNTING
end=delete USER_COUNTING
ptype=RegExp
pattern=SSH_LOGIN_FAILURE_FOR_(\S+)
context=!USER_$1_COUNTED
count=alias USER_COUNTING USER_$1_COUNTED
desc=Repeated SSH login failures for 3 distinct users within 1m
action=pipe '%s' /bin/mail -s 'SSH login alert' root@localhost
window=60
thresh=3
This example counts SSH login failure events for *distinct* users, and
sends an e-mail if events for three different usernames have been seen
within 1 minute. As I understood from the mail, you can set the 'window'
field to a fairly large value (perhaps even 1 day or 86400 seconds?), and
also, 'thresh' should simply be changed from 3 to 2. Note that the above
example also uses context aliases, in order to ensure the uniqueness of
each counted username. Also, the aliases are created and dropped by the
'init' and 'end' fields of the EventGroup rule. In short, I would recommend
to have a look into higher end SEC rule types, since sometimes they do many
things for you, which would otherwise require a lot of Perl coding.
kind regards,
risto
2013/6/28 Boyles, Gary P <gary.p.boy...@intel.com>
> The timeframe doesn't matter. In my current setup I set the context for
> 300 seconds.
>
> The problem is with the $10 (source) variable. I want to deactivate the
> rule below (i.e. NFS_Slow_To_HARMLESS)
> by creating the context to NFS_STOP::$2::$10 if I receive the same event
> from two different sources.
>
> Here is the rule I ended up with to determine that... it just seems like
> there is probably a very simple
> way of doing this, that I'm not utilizing (i.e. can't see the forest for
> the trees issue).
>
>
> ################################################################################
> # Notes:
> # 1. monitor ($4) = BEM_CLASS
> # 2. Project ($8) = Site
> # 3. mon_id ($10)= Source
>
> ################################################################################
> type=Single
> continue=TakeNext
> ptype=perlFunc
> pattern=sub { my (@parseStr) = split/ :: /, $_[0]; return (@parseStr); }
> context=($4 $5) -> (sub { my $class = $_[0]; my $severity = $_[1];
> \
> if ($class =~ /nfs_slow/i && $severity eq "CRITICAL") {return 1;} else {
> return 0;}})
> desc=NFS_Slow_Setup::$2::$10
> action=lcall %NFS_Context $2 $10 -> ( sub { my $node = $_[0]; my $source =
> $_[1]; \
> my $nfs_context = "";
> \
> $nfs_context = "NFS::"."$node"."::"."$source";
> \
> if (exists $NFS_Slow{$node} == 0) {
> \
> $NFS_Slow{$node} = $source;
> \
> return "$nfs_context"; }
> \
> else {
> \
> if ($NFS_Slow{$node} ne $source) {
> \
> $nfs_context = "NFS_STOP::"."$node"."::"."$source";
> \
> $NFS_Slow{$node} = $source;
> \
> return "$nfs_context"; }
> \
> else { return "$nfs_context"; }
> \
> }
> \
> }
> \
> ) ; create %NFS_Context 300
>
> Thanks for taking a look !!!
>
> Gary Boyles
>
>
> -----Original Message-----
> From: David Lang [mailto:da...@lang.hm]
> Sent: Thursday, June 27, 2013 8:23 PM
> To: Boyles, Gary P
> Cc: simple-evcorr-users@lists.sourceforge.net
> Subject: Re: [Simple-evcorr-users] Looking For A Better Way To Do A
> Rule-Set.
>
> On Fri, 28 Jun 2013, Boyles, Gary P wrote:
>
> > Hi All,
> >
> > I have a request for a rule-set that does the following:
> >
> > 1. An event comes in with "node" in $2, class NFS_IS_Slow in ($4),
> severity in ($5), and source in ($10).
> >
> > 2. The request is for an event of this class ($4) from node ($2) to
> change the severity ($5) from CRITICAL to HARMLESS.
> >
> > 3. This is fairly easy to do... with the following rule:
> >
> > type=Single
> > continue=DontCont
> > ptype=perlFunc
> > pattern=sub { my (@parseStr) = split/ :: /, $_[0]; return (@parseStr); }
> > context=!(NFS_STOP::$2::$10) && ($4 $5) -> (sub { my $class = $_[0]; my
> $severity = $_[1]; \
> > if ($class =~ /nfs_slow/i && $severity eq "CRITICAL") { return 1; }
> else { return 0; } } )
> > desc=NFS_Slow_To_HARMLESS::$2::$10
> > action=write %SEC_HOME/log/EC.main.log %u %s ;
> \
> > event $1 :: $2 :: $3 :: $4 :: HARMLESS :: $6 :: $7 :: $8 :: $9
> :: $10 :: $11 :: $12 :: $13 :: $14
> >
> > More Info:
> > I have a request to keep the severity of CRITICAL - if the "source"
> ($10) is different for two events.
> >
> > Question:
> > Is there an easy way to set the context "NFS_STOP::$2::$10" if the
> source ($10) changes?
> >
> > I've got perl-code that sets this in a rule, and this rule is placed
> before the one above,
> > but I was looking for a simple way to evaluate a previous event/context
> and set the context
> > below without using a lot of perl code.
> >
> > Summary:
> >
> > 1. I use the rule above to change/replace the severity from CRITICAL
> to HARMLESS.
> >
> > 2. But I also need to NOT do that (i.e. deactivate the rule) if $10 is
> different for two events.
> >
>
> the context can be any string you want, so you can include $10 in the
> context.
>
> Now, the first problem I have is that you want to do something if $10 is
> different for two events, but two events over what timeframe?
> over the entire time that SEC is running?
>
> does the quantity and order of alerts matter? What if you get 10 events
> from
> one, and 1 event from a second?, what if you get 1 event from one and 10
> events
> from a second?
>
> You may very well want to have multiple rules processing the same log line
> (takenext=continue) so that you can do different things with the log
> messages,
> but more info is needed to create the specific rules.
>
> David Lang
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
