...also, I forgot to mention that if you are using the --intcontexts
command line option and default input file context names (i.e.,
_FILE_EVENT_<filename>), you can refer to the current input file context by
_FILE_EVENT_$+{_inputsrc}.
hope this helps,
risto
2015-12-15 22:18 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
> hi Carlos,
>
> there is no such thing as the current context in action list, since during
> any action list execution many contexts can exist simultaneously.
> Nevertheless, as I can understand from your e-mail, you would like to learn
> what is/are the input file name(s) the matching line(s) came from? If so, I
> would recommend to use the match variable $+{_inputsrc}. For instance, the
> following simple rule echos each non-empty line to standard output with the
> input file name:
>
> type=single
> ptype=regexp
> pattern=.
> desc=test
> action=write - Input line $0 came from file $+{_inputsrc}
>
> As for the _THIS context name, it is entirely meaningful, but it is
> designed for a different purpose and has been explained in the beginning of
> the "INTERNAL EVENTS AND CONTEXTS" section. _THIS is a special dynamic
> alias name which exists *only* in the action-on-expire list of the context
> and points to the context itself.
>
> In order to understand why this alias name is useful, lets look into the
> following action:
>
> create TEST 60 (report TEST /bin/mail root@localhost)
>
> This action creates a context with a name TEST which exists for 60
> seconds, and when the lifetime of TEST expires, the action "report TEST
> /bin/mail root@localhost" is triggered (in other words, all events saved
> into the context TEST are mailed to root@localhost).
>
> What would happen if the following actions are executed during the
> lifetime of TEST?
>
> add TEST event1 (string "event1" is saved to event store of TEST)
>
> alias TEST ALIAS (an alias name ALIAS is created for context TEST)
>
> add ALIAS event2 (string "event2" is saved to event store of the
> context which has now two names TEST and ALIAS)
>
> unalias TEST (alias name TEST is dropped, and the above context can now
> only be referenced by name ALIAS)
>
> When the above context expires (originally created with the name TEST and
> now having the name ALIAS), the action-on-expire "report TEST /bin/mail
> root@localhost" will fail, since the context name TEST no longer exists.
> However, when the context would have been created with the following action
>
> create TEST 60 (report _THIS /bin/mail root@localhost)
>
> strings "event1" and "event2" would have been mailed to root@localhost,
> since _THIS is a dynamic alias name which points to the context also having
> another name ALIAS.
>
> I hope I was able to answer (at least partially) your original question,
> and also explain the nature of the _THIS alias in a bit more detailed way.
>
> kind regards,
> risto
>
>
>
> 2015-12-15 21:10 GMT+02:00 Carlos Gunners <goond...@gmail.com>:
>
>> Hi,
>>
>> I am using several input= switches (with contexts) in a single sec rule
>> to monitor several log files for exactly the same error string ..
>>
>> Now, given each logfile has a different context, I assumed it was
>> straight-forward to grab this in action (or alias) and use it .. But I have
>> spent hours trying to figure out how to just access the name of the current
>> context in an action
>>
>> The docs I have read suggest that the current context is accessible as
>> _THIS .. but this does not seem to be the case .. because:
>>
>> * I have tried to apply copy, assign, alias and report to this _THIS
>> variable and constantly get "Context '_THIS' does not exist"
>> (I am running with --debug=6 --intevents --intcontexts --log=/tmp/blah)
>>
>> * If I send USR1 to sec, the generated dump file shows that the sec is
>> reading the input files and assigning appropriate contexts to them
>>
>> I simply just want to extract the name of the context without knowing
>> exactly what it is .. since it could be one of 10 different values.
>>
>> I suspect I am missing something obvious here .. would really appreciate
>> some help or suggestions
>>
>> thanks in advance ..
>>
>> regards
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>>
>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
