Hi risto, Yes, I'm trying to detect 2 loss-of-signal events within 5 seconds from the same device (for example : from the same CISCO-15454) I have modify my rule as follows: type=PairWithWindow ptype=RegExp pattern= (.+) (.+) (.+) (.+) Loss Of Signal desc= $1_$2_$3_$4_lossOfSignal action=write -=p1=$1_p2=$2_p3=$3_p4=$4_patter1 ptype2=RegExp pattern2= (.+) (.+) ($3) ($4) Loss Of Signal desc2=_lossOfSignal:Flapping action2=write - Loss Of Signal Flapping within 5 second window! thresh=2 window=5
the input the same event: Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 (criticalServiceAffecting),ifIndex=61442 Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 (criticalServiceAffecting),ifIndex=61442 But still cann't shown "Loss Of Signal Flapping within 5 second window!" Can you give me some advice on what to do please? andrew -----Original Message----- From: Risto Vaarandi [mailto:risto.vaara...@gmail.com] Sent: Tuesday, January 28, 2014 6:48 AM To: andrewarnier Cc: simple-evcorr-users@lists.sourceforge.net Subject: Re: [Simple-evcorr-users] PairWithWindow rule hi Andrew, in the case of your rule, both example events Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 (criticalServiceAffecting),ifIndex=61442 Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 (criticalServiceAffecting),ifIndex=61442 match the 'pattern' field of the rule. As a consequence, the first event starts an event correlation operation which waits for an event matching the regular expression 'Loss Of Signal'. However, since the second event also matches the regular expression given with the 'pattern' field, the operation silently consumes it, without trying 'Loss Of Signal' regular expression. Therefore, the operation will time out 5 seconds after it was started and run the action given with the 'action' field. However, from your rule description it seems that you are actually trying to detect 2 loss-of-signal events within 5 seconds. If so, perhaps you can take advantage of SingleWithThreshold rule with thresh=2 and window=5? Also, I would rewrite your original regular expression (.+) (.+) (.+) (.+) Loss Of Signal since the first (.+) starts matching characters from the beginning of the line, including timestamps. Your two example events set $1 to the same value only because the events have identical timestamps. hope this helps, risto 2014-01-27 andrewarnier <andrewarn...@gmail.com>: > > > > > Hi all, > > I have Create a SEC configuration file and set a SEC rule as follows: > > type=PairWithWindow > > ptype=RegExp > > pattern= (.+) (.+) (.+) (.+) Loss Of Signal > > desc= $1_$2_$3_$4_lossOfSignal > > action=write -=p1=$1_p2=$2_p3=$3_p4=$4_patter1 > > ptype2=RegExp > > pattern2= Loss Of Signal > > desc2=_lossOfSignal:Flapping > > action2=write - Loss Of Signal Flapping within 5 second window! > > window=5 > > > > Save snmptt_test_sec.cfg and execute the following command: > > $ perl /usr/local/sbin/sec.pl -conf=snmptt_test_sec.cfg -input=- > > SEC (Simple Event Correlator) 2.4.1 > > Reading configuration from snmptt_test_sec.cfg > > 1 rule loaded from snmptt_test_sec.cfg > > > > > > Type the following lines of input: > > Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" > CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 > (criticalServiceAffecting),ifIndex=61442 > > Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" > CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 > (criticalServiceAffecting),ifIndex=61442 > > > > In this case, the ``events'' were not matched the rule , as follows , > > > > $ perl /usr/local/sbin/sec.pl -conf=snmptt_test_sec.cfg -input=- > > SEC (Simple Event Correlator) 2.4.1 > > Reading configuration from snmptt_test_sec.cfg > > 2 rules loaded from snmptt_test_sec.cfg > > Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" > CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 > (criticalServiceAffecting),ifIndex=61442 > > Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" > CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 > (criticalServiceAffecting),ifIndex=61442 > > Writing event 'Sun Dec 1 12:12:41 2013 > .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" > CISCO-15454_-_CISCO_-15454_lossOfSignal' to file -=p1=Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" > CISCO-15454_p2=-_p3=CISCO_p4=-15454_patter1 > > > > But these input are the same,why can match the rule, is anything wrong > with my rule ? > > > > Can anyone give me some advice on what to do please? > > > > > > andrew > > > ---------------------------------------------------------------------- > -------- CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical > Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg. > clktrk _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
