I'd like to second to David's remark. Logging messages might involve slight time lags, and the original order of messages might easily change when they are very close in time and are issued by different devices. BR, risto
-----Original Message----- From: David Lang [mailto:da...@lang.hm] Sent: Monday, June 30, 2014 10:04 AM To: Risto Vaarandi Cc: simple-evcorr-users Subject: Re: [Simple-evcorr-users] Sequence Keep in mind that there are several things that can cause SEC to see the logs in a different order than they were generated in, so be careful about ordering requirements. David Lang On Thu, 26 Jun 2014, Risto Vaarandi wrote: > For detecting sequences of events, you could use the following strategy: > > type=single > ptype=regexp > pattern=event1: (\S+) > desc=detected event1: $1 > action=create have_seen_event1_$1 60 > > type=single > ptype=regexp > pattern=event2: (\S+) > context=have_seen_event1_$1 > desc=detected event2: $1 > action=create have_seen_event1_event2_$1 30 > > type=single > ptype=regexp > pattern=event3: (\S+) > context=have_seen_event1_event2_$1 > desc=detected event1, after <= 60 sec event2, after <=30 sec event3 > action=write - %s > > > Note that EventGroup rule does not assume any ordering for matching > events, and therefore you have to set up contexts from 'countN' fields > of EventGroup, in order to restrict matching similarly to the above example. > > hope this helps, > risto > > > > > 2014-06-25 14:34 GMT+03:00 Rolf Nufable <rolf_16_nufa...@yahoo.com>: > >> Hello Mailing List of Sec >> >> I seek for help regarding my little experiment on sec where I want to >> generate sequences of events for example this sequence of events >> >> Monitor event -> physmod event-> comprom event -> Monitor event >> >> I want to output in my database >> >> Monitor -> physmod-> comprom->monitor observed >> >> in one config file.. I've tried various correlation rules of sec but >> none of them I think can give me the said output though I think by >> combining these rules will give me the output, I just dont know how >> to tweet the rules, I've also tried the EventGroup which was i though >> gonna give me the output but using recurring patterns for the rule wont >> trigger it. >> >> >> So please help me in this small but very important experiment that I >> have in mind :) >> >> >> --------------------------------------------------------------------- >> --------- Open source business process management suite built on Java >> and Eclipse Turn processes into business applications with Bonita BPM >> Community Edition Quickly connect people, data, and systems into >> organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards >> http://p.sf.net/sfu/Bonitasoft >> _______________________________________________ >> Simple-evcorr-users mailing list >> Simple-evcorr-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >> >> > ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
