Hi,
I want to design a rule to detect that sec could not open log files.
Firstly, i have to check that rules have been loaded to sec. I do detecting
the string "rules loaded from" in the sec log file.
Secondly i have to detect that on sec log file no new log row is detected
or it has written an error on the log file.
I want to check that no input data sec has received in a minute. If in that
minute no data input was found write an alert or the error was written,
generate an alert.
The doubt is how can i check input sources on sec?Sec is waiting for more
logs or is reading.
I use Sec 2.6.2 with Windows.
The following code is my alert structure:
File1.conf
______________________________________________________________________________
type = Jump
ptype = RegExp
desc = $0
continue = Takenext
pattern = (.*)
varmap = sal;log=0;
cfset = sal
________________________________________________________________________________
File2.conf
________________________________________________________________________________
type = Options
joincfset = sal
procallin = no
type = Jump
ptype = Cached
continue = TakeNext
context = ($+{log} ->(sub{index($_[0],"No valid rules found in
configuration file")!=-1;}))||($+{log}
->(sub{index($_[0],"Unmatched")!=-1;}))||($+{log} ->(sub{index($_[0],"Error
evaluating code")!=-1;}))||($+{log} ->(sub{index($_[0],"Can't jump to
fileset")!=-1;}))||($+{log} ->(sub{index($_[0],"Invalid context
specification")!=-1;}))
pattern = sal
cfset = sal-Alerta
type = Jump
ptype = Cached
continue = TakeNext
context = ($+{log} ->(sub{index($_[0],"rules loaded
from")!=-1;}))||($+{log} ->(sub{index($_[0],"Opening input file")!=-1;}))
pattern = sal
cfset = sal-Alerta
________________________________________________________________________________
File4.conf
________________________________________________________________________________
type = Options
joincfset = sal-Alerta
procallin = no
type=EventGroup2
ptype=Cached
pattern=sal
context=($+{log} ->(sub{index($_[0],"rules loaded from")!=-1;print
"Check1!!!!!!!!";}))
action=none
thresh=1
pattern2=sal
ptype2=Cached
context2=($+{log} ->(sub{index($_[0],"Opening input file");print
"Check2!!!!!!!!";}))
thresh=1
window=60
desc=Fichero_$+{inputsrc}
action = write C:\alert.log "No file reading";
Thank you for your help Risto!.Regards.
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
