Oops, that was my typo, the 'end' field of the EventGroup rule should
indeed read:
end=delete seen_connection_from_$2
So the overall rule would be:
type=EventGroup
ptype=regexp
pattern=POST ([0-9.]+) (.*)
context=!seen_connection_from_$2_ip_$1
desc=Check for connection by $2
init=create seen_connection_from_$2
count=alias seen_connection_from_$2 seen_connection_from_$2_ip_$1
end=delete seen_connection_from_$2
window=3600
thresh=5
action = write - 'user $2 logged in from 5 different ips'
regards,
risto
2015-12-03 18:00 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
> Hi,
>
> I add, Why don´t you delete the context at the "end" line?
>
> Regards.
>
>
> 2015-12-03 16:39 GMT+01:00 Jaren Peich <burkol...@gmail.com>:
>
>>
>> 2015-11-25 23:24 GMT+01:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>
>>> typo --
>>
>>
>> Hi,
>>
>> Thank you for your help!. I´ve tested and it works well.
>> When do you mean that the "window slides" means that events continues
>> like 80 minutes and it only generate one alert because the context still
>> exists? and not 2 events till the event dissapear for a long time?
>>
>> Regards.
>>
>
>
------------------------------------------------------------------------------
Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
