On 11/07/2013 03:15 PM, GrillMaster wrote:
> Hey Risto,
> Thank you for your reply. Everything worked as intended and you did a
> thorough job of explaining it.
>
> I have one more question. Is there an "or" function for patterns? I tried
> "||", but it didn't seem to work correctly.
hi,
if you are using regular expression patterns (ptype=RegExp), just one
pattern can be specified at a time. However, sec also supports the
PerlFunc pattern which allows to define any perl function for matching,
and you can easily define logical OR in the function body.
Lets assume for the sake of example that you would like to match either
the line
interface 10.1.1.1 down on server myserv
or the line
host myserv2: linkdown trap for interface 10.2.2.1
and in both cases you are interested in extracting both the host name
and the interface IP. Since the lines are fairly different, they are
hard to match with one regexp. Furthermore, the host name and interface
IP appear in different order, which makes it hard to achieve the same
numbering for the match variables.
The PerlFunc pattern helps to address these issues:
type=Single
ptype=PerlFunc
pattern=sub { \
if ($_[0] =~ /interface ([\d.]+) down on server (\w+)/) \
{ return ($2, $1); } \
if ($_[0] =~ /host (\w+): linkdown trap for interface ([\d.]+)/) \
{ return ($1, $2); } \
return 0; }
desc=host $1 interface $2 down
action=write - %s
In the above rule, the value for the 'pattern' keyword is no longer a
regexp but an anonymous Perl function definition given with the sub {
... } statement. The function gets the input line as its first parameter
which can be referenced with the perl $_[0] variable.
Inside the function, first the regular expression
interface ([\d.]+) down on server (\w+)
is tried and in the case of a match, the list (hostname, interfaceIP) is
returned. Note that this expression sets $2 to hostname and $1 to
interface IP, therefore we have to call 'return ($2, $1)'
If the first expression does not match, the second regular expression is
tried. In the case of the match we again return (hostname, interfaceIP)
tuple, but this time with 'return ($1, $2)', since now hostname maps to
$1 and interface to $2.
If neither of the expression matches, we call 'return 0' to indicate
there was no match.
After the function has been executed, sec checks the function return
value(s), and maps the value(s) to match variables $1, $2, ..., in the
order the values were returned from the function. Therefore, hostname
maps to $1 outside the function, and interface IP maps to $2.
PerlFunc patterns can be used for much more complex matching tasks, and
for longer functions it is often better to factor the function body into
a separate Perl module which is loaded at sec startup. An example of
this scenario is provided in the official docs:
http://simple-evcorr.sourceforge.net/man.html#lbBA
hope this helps,
risto
>
> Best Regards,
> grillmaster
>
>
>
> -----Original Message-----
> From: Risto Vaarandi [mailto:risto.vaara...@seb.ee]
> Sent: Thursday, November 07, 2013 4:18 AM
> To: simple-evcorr-users@lists.sourceforge.net
> Subject: Re: [Simple-evcorr-users] Monitoring a log for a string and
> executing a command
>
> hi,
> you have asked a very interesting question.
>
> Swatch supports three different event counting modes which can be set with
> the 'type' parameter:
>
> limit -- react to the first N events with an action and ignore the following
> ones (e.g., if N is 3, react to 1st, 2nd and 3rd event)
>
> threshold -- react to each Nth event with an action (e.g., if N is 3, react
> to 3rd, 6th, 9th, ... event)
>
> both -- react to Nth event with an action (e.g., if N is 3, react to the 3rd
> event only)
>
> The value of N is set with the Swatch 'count' parameter, while the size of
> the counting window is set with the 'seconds' parameter.
>
>
> The 'both' counting mode is easiest to implement with SEC, since it
> naturally maps to the SingleWithThreshold rule. For example, if we would
> like to count the event 'lets try' with a threshold of 3 in the window
> of 60 seconds, the rule would look like this:
>
> type=SingleWithThreshold
> ptype=Regexp
> pattern=lets try
> desc=three 'lets try' events in 1m
> action=write - %s
> thresh=3
> window=60
>
> In order to mimic the 'threshold' counting mode, you need to tell sec to
> reset the counting operation after reaching the threshold. For achieving
> this, change the 'action' parameter of the previous rule to the following:
>
> action=write - %s; reset 0
>
> In your example, you are doing the counting in the 'limit' mode, which
> requires the execution of an action at first N instances of a given
> event. Since SingleWithThreshold rule does not support this
> functionality, we can take advantage of the EventGroup rule which is a
> generalization of SingleWithThreshold. The example below is a sec
> implementation of your first swatch rule:
>
> type=EventGroup
> ptype=RegExp
> pattern=test
> context=!SUPPRESS
> count=shellcmd screen -S s1 -p 0 -X stuff "Different text injected into
> the same screen session"`echo -ne '\015'`
> desc=Counting test events
> action=create SUPPRESS
> thresh=1
> window=60
> end=delete SUPPRESS
>
> Note that in order to suppress events which follow the first N
> instances, we are using the SUPPRESS context which is created after Nth
> instance has been observed.
>
> Also, the swatch 'count' and 'seconds' parameter map to sec 'thresh' and
> 'window' parameters, respectively.
>
> Please also note one important aspect -- swatch allows to define the
> scope of the counting with the 'track_by' keyword (your example did not
> include this functionality, though).
> In sec, setting the scope can be done with the 'desc' parameter which
> works exactly like 'track_by'. Also, the current value of the 'desc'
> parameter can be retrieved from the %s special variable.
>
> I hope the above examples were able to shed some light into how you
> could convert swatch rules to sec.
>
> kind regards,
> risto
>
> On 11/07/2013 09:56 AM, GrillMaster wrote:
>> Hi,
>>
>> I'm a little confused on how I set up rules to monitor a log file for
>> various strings and execute a different command for each string. I am
>> basically trying to convert a swatch config into sec. Here is an
>> example of the swatch file:
>>
>> watchfor /test/
>>
>> exec "screen -S s1 -p 0 -X stuff "Text injected into a screen
>> session"`echo -ne '\015'`"
>>
>> threshold type=limit,count=1,seconds=3
>>
>> watchfor /test2/
>>
>> exec "screen -S s1 -p 0 -X stuff "Different text injected into
>> the same screen session"`echo -ne '\015'`"
>>
>> threshold type=limit,count=1,seconds=3
>>
>> watchfor /test3/
>>
>> exec "screen -S s1 -p 0 -X stuff "Unique text injected into the
>> same screen session"`echo -ne '\015'`"
>>
>> threshold type=limit,count=1,seconds=3
>>
>> -grillmaster
>>
>>
>>
>>
> ----------------------------------------------------------------------------
> --
>> November Webinars for C, C++, Fortran Developers
>> Accelerate application performance with scalable programming models.
> Explore
>> techniques for threading, error checking, porting, and tuning. Get the
> most
>> from the latest Intel processors and coprocessors. See abstracts and
> register
>>
> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
>>
>>
>>
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>
>
> ----------------------------------------------------------------------------
> --
> November Webinars for C, C++, Fortran Developers
> Accelerate application performance with scalable programming models. Explore
> techniques for threading, error checking, porting, and tuning. Get the most
> from the latest Intel processors and coprocessors. See abstracts and
> register
> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
>
------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
