When looking at your rules, the variables are assigned the values in the
rule file which belongs to fileset "al".
However, there is only one Jump rule in your configuration which directs
events to this particular fileset:
type = Jump
ptype = RegExp
desc = $0
continue = Takenext
pattern =launch(\d+)
varmap = alert;ecode=1
cfset = al
When you inspect its event matching pattern more closely, you will see that
it is the following regular expression:
launch(\d+)
Unfortunately, this regular expression can never match the string
"launAssig".
When I added the following Jump rule into the main.conf file, things
started to work as expected:
type = Jump
ptype = RegExp
desc = $0
continue = Takenext
pattern =launAssig
cfset = al
kind regards,
risto
2016-05-26 14:05 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
> Hi,
>
> I explain fully. Using sec 2.6.2.
>
> I have various files for one alert because it depends on a list and i use
> a library to match.
>
> I want to launch some variables on alert.conf file from the load file
> (iniLib.conf).
>
>
> iniLib.conf.-->Load ini rules.
> ____________________________________________________________________
>
> type=Single
> ptype=SubStr
> pattern=SEC_STARTUP
> context=SEC_INTERNAL_EVENT
> continue=TakeNext
> desc=Load the SecModule module and terminate if it is not found
> action=assign %ret 0; eval %ret (require Data::Dumper;); eval %o (exit(1)
> unless %ret)
>
> type=Single
> ptype=SubStr
> pattern=SEC_STARTUP
> context=SEC_INTERNAL_EVENT
> continue=TakeNext
> desc=Load the SecModule module and terminate if it is not found
> action=assign %ret 0; eval %ret (require 'Module.pm'); eval %o (exit(1)
> unless %ret)
>
> #Regla que carga el objeto en una variable.
> type=Single
> ptype=RegExp
> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
> context=SEC_INTERNAL_EVENT
> continue=TakeNext
> desc=create IP address table
> action=lcall %o -> ( sub { Module::build_ip_table('simu.txt') } )
>
> type=Single
> ptype=RegExp
> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
> context=SEC_INTERNAL_EVENT
> continue=TakeNext
> desc=-
> action=event launAssig
>
>
>
> main.conf-->Parse string
> ____________________________________________________________________
>
> type = Jump
> ptype = RegExp
> desc = $0
> continue = Takenext
> pattern =launch(\d+)
> varmap = alert;ecode=1
> cfset = al
>
>
> alert.conf-->launch alert
> _____________________________________________________________________
>
> type = Options
> joincfset = al
> procallin = no
>
> #Here i want the assign rule launched during the load of iniLib.conf
> type = Single
> continue= TakeNext
> ptype=Substr
> pattern=launAssig
> desc = -
> action = assign %category (Log); \
> assign %summary (Alert); \
> assign %priority (M); \
> assign %typology (C);
>
> #||->string separator.
> #contieneElemento->Function to match the numbers from the list using the
> library.
> type = Single
> ptype = Cached
> desc =-
> context= $+{ecode} -> (sub { Module::contieneElemento($_[0])==1} )
> pattern = alert
> continue=TakeNext
> action = eval %o (\
> $string='category=%category||summary=%summary||priority=%priority||tipology=%typology||error
> code=$+{ecode}||'."\n";\
> print $string."\n";);
>
>
> simu.txt
> ____________________________________________________________________
>
> 5
> 6
> 7
>
> input.conf
> ___________________________________________________________________
> launch5
> launch7
>
> Running options
> __________________________________________________________________
>
> -intevents -fromstart -notail
>
> Still not running. Any ideas?
>
> Thank your Risto. Regards.
>
>
>
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
