[Simple-evcorr-users] PairWithWindow rule

[andrewarnier]

Hi all,

I have Create a SEC configuration file and set a SEC rule  as follows:

type=PairWithWindow

ptype=RegExp

pattern= (.+) (.+) (.+) (.+) Loss Of Signal

desc= $1_$2_$3_$4_lossOfSignal

action=write -=p1=$1_p2=$2_p3=$3_p4=$4_patter1

ptype2=RegExp

pattern2= Loss Of Signal

desc2=_lossOfSignal:Flapping

action2=write - Loss Of Signal Flapping within 5 second window!

window=5

 

Save snmptt_test_sec.cfg and execute the following command: 

$ perl /usr/local/sbin/sec.pl -conf=snmptt_test_sec.cfg  -input=-

SEC (Simple Event Correlator) 2.4.1

Reading configuration from snmptt_test_sec.cfg

1 rule loaded from snmptt_test_sec.cfg

 

 

Type the following lines of input: 

Sun Dec  1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco"
CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1
(criticalServiceAffecting),ifIndex=61442

Sun Dec  1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco"
CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1
(criticalServiceAffecting),ifIndex=61442

 

In this case, the ``events'' were not matched the rule , as follows ,

 

$ perl /usr/local/sbin/sec.pl -conf=snmptt_test_sec.cfg  -input=-

SEC (Simple Event Correlator) 2.4.1

Reading configuration from snmptt_test_sec.cfg

2 rules loaded from snmptt_test_sec.cfg

Sun Dec  1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco"
CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1
(criticalServiceAffecting),ifIndex=61442

Sun Dec  1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco"
CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1
(criticalServiceAffecting),ifIndex=61442

Writing event 'Sun Dec  1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430
Critical "cisco" CISCO-15454_-_CISCO_-15454_lossOfSignal' to file -=p1=Sun
Dec  1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco"
CISCO-15454_p2=-_p3=CISCO_p4=-15454_patter1

 

But these input are the same,why can match the rule, is anything wrong with
my rule ?

 

Can anyone give me some advice on what to do please?


------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users