Hello:
In message <20141216181947.ga1...@medion.reseau.net>,
Sebre writes:
>I have to monitor two log files, each one have to match its own SEC
>rules. I'm trying to set up a "Pair" based rule : a regexp triggers an
>action and a substr reset the events lists. It's OK as far as I give a
>single file on the command line ; only one --input parameter.
>
>If I build a context, as described in the man, with --intcontexts and
>--input=my_log=MY_CONTEXT switches, and the context=MY_CONTEXT in the
>config file, along with others --input files, the first event is
>detected on the input file linked by its context : very good.
>
>But the pattern2 is triggered by ANY input file. SEC ignores the
>context. The pattern2 should be matched against the inputfile linked by
>the context, isn't it ?
>
>My config only describes the ruleset for the first file (if OK the
>reuleset for the second file should be similar) :
>
>---- sec.rules -----------------------
>type=Pair
>context=[CFT]
>ptype=regexp
>pattern=(?i)(ERROR|WARNING)
>desc=Alamm $1 on $+{_inputsrc}
>action=logonly
>ptype2=substr
>pattern2=receiving file list ... done
>desc2=Alarm end on $+{_inputsrc}
>action2=logonly
>window=60
>---- sec.rules -----------------------
I don't see a context2 keyword in your rule.
from the manual under the PAIR rule section:
SEC will also copy the match conditions given with the pattern2
and context2 field into the operation, and substitute match variables
with their values in copied conditions.
so at fast glance I claim adding:
context2=[CFT]
will do the trick. As it stands, you have no context limiting the
correlation rule to a particular file.
(The correlation is the new rule formed from desc2, pattern2, action2
....)
>Command line :
>./sec --intcontexts --conf=config/sec.rules \
>--input=log/RECEPTION.log=CFT \
>--input=log/OUTPUT.log=OTHER
>
>Perl v5.8.8 built for aix-thread-multi
>
>Interesting fact : $+{_inputsrc} displays "log/RECEPTION.log" even if
>pattern2 is matched against "log/OUTPUT.log".
Hmm, this makes perfect sense if
desc2=Alarm end on $+{_inputsrc}
is expanded when the pair rule is triggered by "pattern". At that
time, $+{inputsrc} is log/RECEPTION.log.
You didn't say what version of SEC you are running. I want to say this
may be a bug, but I don't remember desc2's role in correlations for
the pair rule. It's possible desc2 is just a label rather than being
used for a correlation check.
The section in the manual titled: EVENT CORRELATION OPERATIONS says:
In order to identify event correlation operations, SEC assigns a key to
every operation that is composed from the configuration file name, the
rule ID, and the operation description string (defined by the desc
field of the rule).
Note it says nothing about desc2 being used to identify correlation
operations. So this may be how it should work.
Since you have no context2 to limit the pattern2 correlation what you
see would make sense.
I am not sure if there is a way to get the current input file in the
triggered rule. My best guess would be to see what:
action2= write - $+{_inputsrc}
produces. My guess is that will be log/OUTPUT.log because variables in
the action keyword aren't expanded until the rule triggers.
Also you may want to look at the --nojointbuf command line option. I
think that may limit the desc2 correlation to the original buffer/file
that triggered the rule, but I am not positive about that.
Let us know if any of this fixes your issue.
Good luck.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
