In message <017d01cf1c86$f773a3a0$e65aeae0$@gmail.com>, "andrewarnier" writes: >Yes, I'm trying to detect 2 loss-of-signal events within 5 seconds from the >same device (for example : from the same CISCO-15454) I have modify my rule >as follows: >type=PairWithWindow >ptype=RegExp >pattern= (.+) (.+) (.+) (.+) Loss Of Signal desc= $1_$2_$3_$4_lossOfSignal >action=write -=p1=$1_p2=$2_p3=$3_p4=$4_patter1 ptype2=RegExp pattern2= (.+) >(.+) ($3) ($4) Loss Of Signal desc2=_lossOfSignal:Flapping action2=write - >Loss Of Signal Flapping within 5 second window! >thresh=2 >window=5 > >the input the same event: >Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" >CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 >(criticalServiceAffecting),ifIndex=61442 >Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" >CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 >(criticalServiceAffecting),ifIndex=61442 > > >But still cann't shown "Loss Of Signal Flapping within 5 second window!" > >Can you give me some advice on what to do please?
You need to re-read all of Risto's emails. One of them (archived at http://sourceforge.net/mailarchive/message.php?msg_id=31894071 in case it's in your spam folder or something) gives you the answer using the SingleWithThreshold rule (not a PairWithWindow) rule that you should be using for this correlation. (Also you quoted the same recomendation in this email, see below.) PairWithWindow is for two different events one of which matches pattern 1 and one of which matches pattern 2 (but not pattern 1). You are using the wrong rule for what you want to do as both your events match pattern 1 (as also pointed out by david). >-----Original Message----- >From: Risto Vaarandi [mailto:risto.vaara...@gmail.com] >Sent: Tuesday, January 28, 2014 6:48 AM >To: andrewarnier >Cc: simple-evcorr-users@lists.sourceforge.net >Subject: Re: [Simple-evcorr-users] PairWithWindow rule > >hi Andrew, >in the case of your rule, both example events > >Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" >CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 >(criticalServiceAffecting),ifIndex=61442 >Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" >CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 >(criticalServiceAffecting),ifIndex=61442 > >match the 'pattern' field of the rule. As a consequence, the first event >starts an event correlation operation which waits for an event matching the >regular expression 'Loss Of Signal'. However, since the second event also >matches the regular expression given with the 'pattern' field, the operation >silently consumes it, without trying 'Loss Of Signal' regular expression. >Therefore, the operation will time out 5 seconds after it was started and >run the action given with the 'action' field. > >However, from your rule description it seems that you are actually trying to >detect 2 loss-of-signal events within 5 seconds. If so, perhaps you can take >advantage of SingleWithThreshold rule with ^^^^^^^^^^^^^^^^^^^^^ Note SingleWithThreshold >thresh=2 and window=5? >Also, I would rewrite your original regular expression > >(.+) (.+) (.+) (.+) Loss Of Signal > >since the first (.+) starts matching characters from the beginning of the >line, including timestamps. Your two example events set $1 to the same value >only because the events have identical timestamps. You should read the manual page where the SingleWithThrehold rule is described for further details. -- -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
