I'm not getting the behavior I was expecting, so wanted to ask about
'set'. I've read the man page that says:
/set <name> <time> [<action list>]/
Change settings for the context <name>. The creation time of the
context is set to the current time, and the lifetime of the context
is set to <time> seconds. If the <action list> parameter is given,
the context action list is set to <action list>. The <name>
parameter may not contain whitespace and defaults to %s. The <time>
parameter must evaluate to an unsigned integer or hyphen (-) at
runtime. Specifying 0 for <time> means infinite lifetime. If <time>
equals to -, the creation time and lifetime of the context are not
changed. If <action list> contains several actions, the list must be
enclosed in parentheses. In <action list>, the internal context name
_THIS may be used for referring to the current context (see INTERNAL
EVENTS AND CONTEXTS section for a detailed discussion).
When i try to set the action list on a context that already has an
action list, it does not accept (no errors either) the change by 'set'
action. The context retains the original action list.
This is my test SEC rule file:
type=Single
ptype=SubStr
pattern=set
desc=$0
action= set TESTCTX 60
type=Single
ptype=SubStr
pattern=setaction
desc=$0
action= set TESTCTX 60 ( write - "setaction : TEXTCTX expired at %t" )
type=Single
ptype=SubStr
pattern=test
desc=$0
action= exists %have_TESTCTX TESTCTX; \
if %have_TESTCTX ( \
write - "TEXTCTX context exists" \
)
type=Single
ptype=SubStr
pattern=create
desc=$0
action= create TESTCTX 60 ( write - "original : TEXTCTX expired at %t" )
type=Single
ptype=SubStr
pattern=obsolete
desc=$0
action= obsolete TESTCTX
Here's the output when I run the above test rules:
# sec -conf=./test.sec -input=-
SEC (Simple Event Correlator) 2.7.7
Reading configuration from ./test.sec
5 rules loaded from ./test.sec
No --bufsize command line option or --bufsize=0, setting --bufsize to 1
Opening input file -
Interactive process, SIGINT can't be used for changing the logging level
create
Creating context 'TESTCTX'
test
Checking the presence of context 'TESTCTX'
Variable '%have_TESTCTX' set to '1'
Writing event '"TEXTCTX context exists"' to file '-'
"TEXTCTX context exists"
set
Changing settings for context 'TESTCTX'
test
Checking the presence of context 'TESTCTX'
Variable '%have_TESTCTX' set to '1'
Writing event '"TEXTCTX context exists"' to file '-'
"TEXTCTX context exists"
setaction
Changing settings for context 'TESTCTX'
test
Checking the presence of context 'TESTCTX'
Variable '%have_TESTCTX' set to '1'
Writing event '"TEXTCTX context exists"' to file '-'
"TEXTCTX context exists"
obsolete
Obsoleting context 'TESTCTX'
Deleting stale context 'TESTCTX'
Writing event '"original : TEXTCTX expired at Thu Oct 15 19:45:39 2015"'
to file '-'
"original : TEXTCTX expired at Thu Oct 15 19:45:39 2015"
Stale context 'TESTCTX' deleted
create
Creating context 'TESTCTX'
obsolete
Obsoleting context 'TESTCTX'
Deleting stale context 'TESTCTX'
Writing event '"original : TEXTCTX expired at Thu Oct 15 19:46:04 2015"'
to file '-'
"original : TEXTCTX expired at Thu Oct 15 19:46:04 2015"
Stale context 'TESTCTX' deleted
After the 'setaction' message, I was expecting a different action list
to be executed when I issued 'obsolete' message, not the original action
list from when the context was created?
Is this as intended or a bug?
Bond
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
