Hi, I am using several input= switches (with contexts) in a single sec rule to monitor several log files for exactly the same error string ..
Now, given each logfile has a different context, I assumed it was straight-forward to grab this in action (or alias) and use it .. But I have spent hours trying to figure out how to just access the name of the current context in an action The docs I have read suggest that the current context is accessible as _THIS .. but this does not seem to be the case .. because: * I have tried to apply copy, assign, alias and report to this _THIS variable and constantly get "Context '_THIS' does not exist" (I am running with --debug=6 --intevents --intcontexts --log=/tmp/blah) * If I send USR1 to sec, the generated dump file shows that the sec is reading the input files and assigning appropriate contexts to them I simply just want to extract the name of the context without knowing exactly what it is .. since it could be one of 10 different values. I suspect I am missing something obvious here .. would really appreciate some help or suggestions thanks in advance .. regards
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
