...also, the example from the man page sends an e-mail, but it is easy to
change the 'pipe' action for 'create' which sets up a context. Then, you
can check for the presence of the context from other rules, and take
actions depending on the presence or lack of the context.
kind regards,
risto
2013/6/28 Boyles, Gary P <gary.p.boy...@intel.com>
> This looks like and interesting solution. I will read the pan mages and
> see if I can make it work on my rules.****
>
> ** **
>
> EventGroup looks like a better way to go.****
>
> ** **
>
> *From:* Risto Vaarandi [mailto:risto.vaara...@gmail.com]
> *Sent:* Friday, June 28, 2013 11:15 AM
> *To:* Boyles, Gary P; simple-evcorr-users@lists.sourceforge.net
>
> *Subject:* Re: [Simple-evcorr-users] Looking For A Better Way To Do A
> Rule-Set.****
>
> ** **
>
> hi Gary,****
>
> I have to say that the rule looks quite complex. Maybe it's a better idea
> to split the logic into two rules? First rule could be the one what you
> proposed in the beginning of the thread (the one which decreases the
> severity for a given class). However, the second rule would do counting for
> events of interest, and would set up a context if two events from different
> sources have been seen. In order to do counting, so that each counter
> increment happens for a unique event, I would propose to use the EventGroup
> rule. In fact, the introduction of the SEC man page contains a relevant
> example for SSH login failures. Let me provide a slightly modified part
> from the example:
>
> type=EventGroup
> init=create USER_COUNTING
> end=delete USER_COUNTING
> ptype=RegExp
> pattern=SSH_LOGIN_FAILURE_FOR_(\S+)
> context=!USER_$1_COUNTED
> count=alias USER_COUNTING USER_$1_COUNTED
> desc=Repeated SSH login failures for 3 distinct users within 1m
> action=pipe '%s' /bin/mail -s 'SSH login alert' root@localhost
> window=60
> thresh=3****
>
> This example counts SSH login failure events for *distinct* users, and
> sends an e-mail if events for three different usernames have been seen
> within 1 minute. As I understood from the mail, you can set the 'window'
> field to a fairly large value (perhaps even 1 day or 86400 seconds?), and
> also, 'thresh' should simply be changed from 3 to 2. Note that the above
> example also uses context aliases, in order to ensure the uniqueness of
> each counted username. Also, the aliases are created and dropped by the
> 'init' and 'end' fields of the EventGroup rule. In short, I would recommend
> to have a look into higher end SEC rule types, since sometimes they do many
> things for you, which would otherwise require a lot of Perl coding.****
>
> kind regards,
> risto****
>
> ** **
>
> 2013/6/28 Boyles, Gary P <gary.p.boy...@intel.com>****
>
> The timeframe doesn't matter. In my current setup I set the context for
> 300 seconds.
>
> The problem is with the $10 (source) variable. I want to deactivate the
> rule below (i.e. NFS_Slow_To_HARMLESS)
> by creating the context to NFS_STOP::$2::$10 if I receive the same event
> from two different sources.
>
> Here is the rule I ended up with to determine that... it just seems like
> there is probably a very simple
> way of doing this, that I'm not utilizing (i.e. can't see the forest for
> the trees issue).
>
>
> ################################################################################
> # Notes:
> # 1. monitor ($4) = BEM_CLASS
> # 2. Project ($8) = Site
> # 3. mon_id ($10)= Source
>
> ################################################################################
> type=Single
> continue=TakeNext****
>
> ptype=perlFunc
> pattern=sub { my (@parseStr) = split/ :: /, $_[0]; return (@parseStr); }**
> **
>
> context=($4 $5) -> (sub { my $class = $_[0]; my $severity = $_[1];
> \****
>
> if ($class =~ /nfs_slow/i && $severity eq "CRITICAL") {return 1;} else {
> return 0;}})****
>
> desc=NFS_Slow_Setup::$2::$10
> action=lcall %NFS_Context $2 $10 -> ( sub { my $node = $_[0]; my $source =
> $_[1]; \
> my $nfs_context = "";
> \
> $nfs_context = "NFS::"."$node"."::"."$source";
> \
> if (exists $NFS_Slow{$node} == 0) {
> \
> $NFS_Slow{$node} = $source;
> \
> return "$nfs_context"; }
> \
> else {
> \
> if ($NFS_Slow{$node} ne $source) {
> \
> $nfs_context = "NFS_STOP::"."$node"."::"."$source";
> \
> $NFS_Slow{$node} = $source;
> \
> return "$nfs_context"; }
> \
> else { return "$nfs_context"; }
> \
> }
> \
> }
> \
> ) ; create %NFS_Context 300
>
> Thanks for taking a look !!!
>
> Gary Boyles****
>
>
>
> -----Original Message-----
> From: David Lang [mailto:da...@lang.hm]
> Sent: Thursday, June 27, 2013 8:23 PM
> To: Boyles, Gary P
> Cc: simple-evcorr-users@lists.sourceforge.net
> Subject: Re: [Simple-evcorr-users] Looking For A Better Way To Do A
> Rule-Set.
>
> On Fri, 28 Jun 2013, Boyles, Gary P wrote:
>
> > Hi All,
> >
> > I have a request for a rule-set that does the following:
> >
> > 1. An event comes in with "node" in $2, class NFS_IS_Slow in ($4),
> severity in ($5), and source in ($10).
> >
> > 2. The request is for an event of this class ($4) from node ($2) to
> change the severity ($5) from CRITICAL to HARMLESS.
> >
> > 3. This is fairly easy to do... with the following rule:
> >
> > type=Single
> > continue=DontCont
> > ptype=perlFunc
> > pattern=sub { my (@parseStr) = split/ :: /, $_[0]; return (@parseStr); }
> > context=!(NFS_STOP::$2::$10) && ($4 $5) -> (sub { my $class = $_[0]; my
> $severity = $_[1]; \
> > if ($class =~ /nfs_slow/i && $severity eq "CRITICAL") { return 1; }
> else { return 0; } } )
> > desc=NFS_Slow_To_HARMLESS::$2::$10
> > action=write %SEC_HOME/log/EC.main.log %u %s ;
> \
> > event $1 :: $2 :: $3 :: $4 :: HARMLESS :: $6 :: $7 :: $8 :: $9
> :: $10 :: $11 :: $12 :: $13 :: $14
> >
> > More Info:
> > I have a request to keep the severity of CRITICAL - if the "source"
> ($10) is different for two events.
> >
> > Question:
> > Is there an easy way to set the context "NFS_STOP::$2::$10" if the
> source ($10) changes?
> >
> > I've got perl-code that sets this in a rule, and this rule is placed
> before the one above,
> > but I was looking for a simple way to evaluate a previous event/context
> and set the context
> > below without using a lot of perl code.
> >
> > Summary:
> >
> > 1. I use the rule above to change/replace the severity from CRITICAL
> to HARMLESS.
> >
> > 2. But I also need to NOT do that (i.e. deactivate the rule) if $10 is
> different for two events.
> >
>
> the context can be any string you want, so you can include $10 in the
> context.
>
> Now, the first problem I have is that you want to do something if $10 is
> different for two events, but two events over what timeframe?
> over the entire time that SEC is running?
>
> does the quantity and order of alerts matter? What if you get 10 events
> from
> one, and 1 event from a second?, what if you get 1 event from one and 10
> events
> from a second?
>
> You may very well want to have multiple rules processing the same log line
> (takenext=continue) so that you can do different things with the log
> messages,
> but more info is needed to create the specific rules.
>
> David Lang****
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users****
>
> ** **
>
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
