hi Carlos,
there is no such thing as the current context in action list, since during
any action list execution many contexts can exist simultaneously.
Nevertheless, as I can understand from your e-mail, you would like to learn
what is/are the input file name(s) the matching line(s) came from? If so, I
would recommend to use the match variable $+{_inputsrc}. For instance, the
following simple rule echos each non-empty line to standard output with the
input file name:
type=single
ptype=regexp
pattern=.
desc=test
action=write - Input line $0 came from file $+{_inputsrc}
As for the _THIS context name, it is entirely meaningful, but it is
designed for a different purpose and has been explained in the beginning of
the "INTERNAL EVENTS AND CONTEXTS" section. _THIS is a special dynamic
alias name which exists *only* in the action-on-expire list of the context
and points to the context itself.
In order to understand why this alias name is useful, lets look into the
following action:
create TEST 60 (report TEST /bin/mail root@localhost)
This action creates a context with a name TEST which exists for 60 seconds,
and when the lifetime of TEST expires, the action "report TEST /bin/mail
root@localhost" is triggered (in other words, all events saved into the
context TEST are mailed to root@localhost).
What would happen if the following actions are executed during the lifetime
of TEST?
add TEST event1 (string "event1" is saved to event store of TEST)
alias TEST ALIAS (an alias name ALIAS is created for context TEST)
add ALIAS event2 (string "event2" is saved to event store of the context
which has now two names TEST and ALIAS)
unalias TEST (alias name TEST is dropped, and the above context can now
only be referenced by name ALIAS)
When the above context expires (originally created with the name TEST and
now having the name ALIAS), the action-on-expire "report TEST /bin/mail
root@localhost" will fail, since the context name TEST no longer exists.
However, when the context would have been created with the following action
create TEST 60 (report _THIS /bin/mail root@localhost)
strings "event1" and "event2" would have been mailed to root@localhost,
since _THIS is a dynamic alias name which points to the context also having
another name ALIAS.
I hope I was able to answer (at least partially) your original question,
and also explain the nature of the _THIS alias in a bit more detailed way.
kind regards,
risto
2015-12-15 21:10 GMT+02:00 Carlos Gunners <goond...@gmail.com>:
> Hi,
>
> I am using several input= switches (with contexts) in a single sec rule to
> monitor several log files for exactly the same error string ..
>
> Now, given each logfile has a different context, I assumed it was
> straight-forward to grab this in action (or alias) and use it .. But I have
> spent hours trying to figure out how to just access the name of the current
> context in an action
>
> The docs I have read suggest that the current context is accessible as
> _THIS .. but this does not seem to be the case .. because:
>
> * I have tried to apply copy, assign, alias and report to this _THIS
> variable and constantly get "Context '_THIS' does not exist"
> (I am running with --debug=6 --intevents --intcontexts --log=/tmp/blah)
>
> * If I send USR1 to sec, the generated dump file shows that the sec is
> reading the input files and assigning appropriate contexts to them
>
> I simply just want to extract the name of the context without knowing
> exactly what it is .. since it could be one of 10 different values.
>
> I suspect I am missing something obvious here .. would really appreciate
> some help or suggestions
>
> thanks in advance ..
>
> regards
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
