In message
<CAFz9LftZQZkdhKpvevVG6K_QO+_0YNfuJe7K=ndoyshjoej...@mail.gmail.com> ,
Andy Smith writes:
>I have a trivial use case where I have SEC analyzing application logs on
>native windows platforms. So far it is working well with my configuration
>being no more complex than a bunch of 'singles' notifying about different
>types of badstuff identified by RegExp.
>
>I want to add a rule so that if no badstuff occurred in lets say, 300
>seconds, it should report an 'All Clear'. Also, a node may go unused for
>days at a time with no input being added to the log and I wanted to cater
>for this as well, issuing the same 5 minute all clear.
>
>I have looked at the sample rules identified in
>http://www.cs.umb.edu/~rouilj/sec/rulesets/Readme.txt and I can see bits of
>what I want, but my lack of familiarity at the moment has lead to a few
>dead ends when I try and implement anything. Can someone help with some
>pointers please, can I even achieve what I want if no lines are added to
>the log?
There are a couple of ways to do this. If you only have bad stuff in
the logs, this can be done by adding one rule. If you have a mix of
bad stuff and good stuff in the logs from the nodes I would suggest
changing your action to read:
action = <your current action(s) ; \
create <nodename>_all_clear 300 ( \
write - node <nodename> is all clear )
to *each* of your rules that reports on bad stuff.
<nodename> should be replaced by one of the match variable $1, $2
... from your single rule.
What this does is:
for each bad event that is reported for a node
create a context unique to that node with a 5 minute liftime.
At the end of the lifetime it expires and it writes to
stdout "node <nodename> is all clear".
If another bad event comes in for the node, the context is
recreated with a new 5 minute lifespan from the time
of the new bad event.
Because the original context is destroyed rather than
expiring, it doesn't generate an "all clear".
The context will expire even if there are no input lines for that
node.
You can replace the write with whatever reporting command you want.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
