On Tue, 31 Mar 2015, Risto Vaarandi wrote: > hi David, > > the problem you are experiencing is related to the action-on-expire field > of the heartbeat_$1 context. When this context is created, its > action-on-expire field is set to the following list: > > create heartbeat_$1 14400 (shellcmd /usr/local/bin/sec/notifiy.sh $1 '2+ > hours' ); \ > shellcmd /usr/local/bin/sec/notify.sh $1 '4 min' > > This action list is executed when the heartbeat_$1 context expires, > immediately before heartbeat_$1 is deleted and dropped from memory. As a > result, the following things happen when heartbeat_$1 expires: > > 1) expiration of heartbeat_$1 forces the execution of the above action list > which is always followed by context deletion > 2) 'create' action changes context lifetime and action-on-expire -- but > these changes have no effect to the currently running action list and > context deletion procedure > 3) 'shellcmd' action runs /usr/local/bin/sec/notify.sh > 4) now that the action list has completed, the heartbeat_$1 is dropped from > memory. > > In other words, changing context lifetime (and taking other measures for > preventing context deletion) will have no effect when invoked from > action-on-expire action list.
I was afraid it was something like this. I think that what I'll try is to replace the create action with a log action, and then have another rule to watch for that log message David Lang > One possible solution would be the use of two distinct contexts for > alerting (such as heartbeat_$1 and heartbeat2_$1): > > type=single > ptype=regexp > pattern=(\S+) > context=[!SEC_INTERNAL_EVENT] > desc=heartbeat_$1 > action=create heartbeat_$1 10 ( create heartbeat2_$1 20 \ > (shellcmd /usr/local/bin/sec/notifiy.sh $1 '2+ hours' ); \ > shellcmd /usr/local/bin/sec/notify.sh $1 '4 min'); \ > delete heartbeat2_$1 > > This rule will produce a debug-level message about non-existing > heartbeat2_$1 when heartbeat messages regularly arrive. If you don't want > to see this message (even though its level is 'debug'), you can replace > 'delete heartbeat2_$1' with the following two actions: > > exists %e heartbeat2_$1; if %e ( delete heartbeat2_$1 ) > > The first action checks if the heartbeat2_$1 context exists, and the second > action invokes the 'delete' action only for existing context. > > kind regards, > risto > > > > 2015-03-31 4:10 GMT+03:00 David Lang <da...@lang.hm>: > >> I'm trying to do an alert when a device stops sending logs. >> >> This works well (all that's fed to sec is the hostname) >> >> type=single >> ptype=regexp >> pattern=(\S+) >> context=[!SEC_INTERNAL_EVENT] >> desc=heartbeat_$1 >> action=create heartbeat_$1 240 (shellcmd /usr/local/bin/sec/notify.sh $1 >> '4 min') >> >> now I want to modify this so what if it doesn't start reporting again, >> I'll get >> another alert in 2 hours. so I try to do: >> >> type=single >> ptype=regexp >> pattern=(\S+) >> context=[!SEC_INTERNAL_EVENT] >> desc=heartbeat_$1 >> action=create heartbeat_$1 240 ( create heartbeat_$1 14400 \ >> (shellcmd /usr/local/bin/sec/notifiy.sh $1 '2+ hours' ); \ >> shellcmd /usr/local/bin/sec/notify.sh $1 '4 min') >> >> (wrapped to fit the e-mail) >> >> but after the first timeout expires, it doesn't recreate it with the longer >> timeout. >> >> Ideally, I'd like to have it continue to re-arm and fire every 2 hours, but >> until I can get the simple version working, trying to extend it beyond that >> isn't happening. >> >> David Lang >> >> >> ------------------------------------------------------------------------------ >> Dive into the World of Parallel Programming The Go Parallel Website, >> sponsored >> by Intel and developed in partnership with Slashdot Media, is your hub for >> all >> things parallel software development, from weekly thought leadership blogs >> to >> news, videos, case studies, tutorials and more. Take a look and join the >> conversation now. http://goparallel.sourceforge.net/ >> _______________________________________________ >> Simple-evcorr-users mailing list >> Simple-evcorr-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >> > ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
