I thought there must be a way to do this safely without digging into the
innards of SEC, but it seems I have no solution other than that --
hoping someone can guide me back to a non-innards method. The problem
is this -- how do you take a pattern match and feed that into Perl code
(via eval or call/lcall) with quoting guaranteed not to be disrupted by
presence of quoting characters within the string. In my particular
case, I have used the JSON flatten method to produce a hash from Windows
event log data (sent by nxlog-ce), and have stored in the WINDOWS
varmap. For my catchall rules, I want to count how many times I have
seen a particular string in the Message field per event source. That
field has unknown data, so you need to safely quote it, but more
ideally, the value is already in a Perl variable within SEC -- why not
bypass quoting and just reference that in the counting code? I just
can't see how to pass the variable to the code -- I thought perhaps with
lcall, but not really since I would have to quote the string still. So
I am left with referencing %main::pmatch_cache{WINDOWS} within the code
to access the values without worrying about quoting issues. Am I
missing something, or is this an OK thing to be doing? You can do what
I am talking about within the context evaluation (via the :> operator),
just not within eval/lcall/call from what I can see.
For reference, this is what I am doing (development still in progress,
so there could be other issues) -- the problem is with the second rule
that injects the data into the %WINDOWS_WARNING hash using
q($+{Message}). I can find better quoting methods, like using \001 as
the quote character, but I sometimes have seen issues with that (e.g.,
unicode), so avoiding quoting entirely is preferred.
type=Single
ptype=Cached
pattern=WINDOWS
context=!WINDOWS_WARNING_$+{SourceName} && WINDOWS :> ( sub { return
$_[0]->{EventType} eq "WARNING" } )
desc=Windows Unclassified $+{EventType}: $+{SourceName}
action=create WINDOWS_WARNING_$+{SourceName} 5400 ( \
eval %out ( my @ret = map {
"$WINDOWS_WARNING{'$+{SourceName}'}->{Info}->{$_}\t$_" } \
sort
{$WINDOWS_WARNING{'$+{SourceName}'}->{Info}->{$b} <=>
$WINDOWS_WARNING{'$+{SourceName}'}->{Info}->{$a}} \
keys
%{$WINDOWS_WARNING{'$+{SourceName}'}->{Info}}; \
unshift(@ret, "First Seen:
$WINDOWS_WARNING{'$+{SourceName}'}->{When}\nCount\tEvent\n"); \
delete $WINDOWS_WARNING{'$+{SourceName}'}; \
return @ret; ); \
fill WINDOWS_WARNING_$+{SourceName} %out; \
report WINDOWS_WARNING_$+{SourceName} /usr/libexec/sec/notify.pl
-m %nt_mail -f %nt_from "%s" ); \
eval %o ( delete $WINDOWS_WARNING{'$+{SourceName}'}; \
$WINDOWS_WARNING{'$+{SourceName}'}->{When} = time; )
continue=takenext
type=Single
ptype=Cached
pattern=WINDOWS
context=WINDOWS :> ( sub { return $_[0]->{EventType} eq "WARNING" } )
desc=Windows Unclassified $+{EventType}: $+{SourceName}
action=eval %o (
$WINDOWS_WARNING{'$+{SourceName}'}->{Info}->{sprintf("%%s: %%s/%%d:
%%s", '$+{Hostname}', '$+{SourceName}', '$+{EventID}', q($+{Message}))}++; )
Thanks,
Mark
--
Mark D. Nagel, CCIE #3177 <mna...@willingminds.com>
Principal Consultant, Willing Minds LLC (http://www.willingminds.com)
cell: 949-279-5817, desk: 714-495-4001, fax: 714-646-8277
** For faster support response time, please
** email supp...@willingminds.com or call 714-495-4000
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
