Hi,
In this case the rules are ordered but there are some cases, i´ve seen that
there are disordered data and in other files. I´ve seen today. I have to do
perl search.
It can be as input also like this, its quite a pity:
email:Mid 52365 sender:'ja...@sec.com'
email:Mid 52366 sender:'s...@sec.com'
email:Mid 52364 Subject:'Hello World'
email:Mid 52366 Subject:'Hello World'
email:Mid 52364 sender:'pe...@sec.com'
email:Mid 52365 Subject:'Hello World'
I´m trying to access the context data, i just only copy the action:
action = copy SM_$+{subject} %hashmids; lcall %o %hashmids -> ( sub{\
$i=0;\
my(@arraymids)=();\
%pmid=%{ $_[0] };\
@midcont = values %pmid;\
foreach my $lmid (@midcont) {\
print "\nlmid===>$lmid\n" if defined($mid);\
}\
@files = <C:\\files\\m*.log>;\
print "@files";\
if(@files){\
foreach $file (@files) {\
open (FILE, "$file");\
while($line= <FILE> ){\
my ($mid, $email)= $line=~ m/email:Mid\s(\d+)\ssender\:\'([^\']*)\'/gi;\
print "\n====>Vuelta\n";\
print "$midcont[0]";\
foreach my $lmid (@midcont) {\
print "\nMid fichero===>$mid\tlmid===>$lmid\n" if defined($mid);\
if ($mid == $lmid){\
my ($username, $domain) = $email =~ /(.*)@(.*)/;\
print "\nDOMAIN FINDED===>$domain\n";\
unshift(@arraymids, $domain);\
}\
}\
}\
}\
}else{\
print "========>NO FILES TO SEARCH";\
}\
}\
);reset 0;
Output is not as expected:
Stdin connected to terminal, SIGINT can't be used for changing the logging
level
Creating SEC internal context 'SEC_INTERNAL_EVENT'
Creating SEC internal event 'SEC_STARTUP'
Deleting SEC internal context 'SEC_INTERNAL_EVENT'
Creating context 'SM_Hello World'
Adding event(s) '52364' to context 'SM_Hello World'
Adding event(s) '52365' to context 'SM_Hello World'
Adding event(s) '52366' to context 'SM_Hello World'
Copying context 'SM_Hello World' to variable '%hashmids'
Variable '%hashmids' set to '52364
52365
52366'
Calling code 'CODE(0x2927f34)' and setting variable '%o'
C:\log.log
====>Vuelta
Use of uninitialized value $main::SEC::midcont[0] in string at (eval 4)
line 1, <FILE> line 1.
====>Vuelta
Use of uninitialized value $main::SEC::midcont[0] in string at (eval 4)
line 1, <FILE> line 2.
====>Vuelta
Use of uninitialized value $main::SEC::midcont[0] in string at (eval 4)
line 1, <FILE> line 3.
Variable '%o' set to ''
Terminating event correlation operation 'C:\prueba.conf | 1 | create
context by subject_Hello World'
Creating SEC internal context 'SEC_INTERNAL_EVENT'
Creating SEC internal event 'SEC_SHUTDOWN'
Deleting SEC internal context 'SEC_INTERNAL_EVENT'
I don´t know why i can´t access to the %hashmids that I copied before and
added as a parameter. How can i reference it?
Thank you for your help Risto. Regards.
2016-10-03 15:33 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
> hi Jaren,
> let me add few suggestions below:
>
> >
> > rem=create context and store first mid-count 2 and 3
> > type=EventGroup1
> > ptype=Cached
> > pattern=SubjectMID
> > context=SM_$+{subject}
> > thresh=2
> > window=60
> > count=add SM_$+{subject} $+{mid}
> > desc=create context by subject_$+{subject}
> > end=delete SM_$+{subject}
> > action = copy SM_$+{subject} %hashmids; lcall %o %hashmids -> ( \
> > print "\nArrive!!!!!";\
>
> The Perl code that has been provided with 'lcall' action is not a
> valid function definition, and you need to enclose the code in sub { }
> construct. For example:
>
> lcall %o %hashmids -> ( sub { print "\nArrive!!!!!"; } )
>
> Also, the value of the %hashmids variable is not used in the function
> (in the perl function, $_[0] variable refers to the first input
> parameters.
>
> > Output:
> >
> > SEC (Simple Event Correlator) 2.6.2
> > Reading configuration from C:\prueba.conf
> >
> > Rule in C:\prueba.conf at line 10: Eval 'print "\nArrive!!!!!";' didn't
> > return a code reference: 1
> > Rule in C:\prueba.conf at line 10: Invalid action list ' copy
> SM_$+{subject}
> > %hashmids; lcall %o %hashmids -> ( print "\nArrive!!!!!";);reset 0; '
>
> you are seeing this error message since 'lcall' does not have a
> correct function definition (see my previous remark).
>
> >
> > Is it possible to pass to the perl function a changing context name
> > depending on the $+{subject} variable and process this data as i told you
> > before?
>
> you can do that, but then you would have to access SEC's internal
> context data structure, in order to process the context event store
> (the context name serves as a key into %main::context_list hash table,
> and in this hash table). In my opinion, that is not a very clean way,
> and passing a newline separated string of numerals into the function
> is both simpler and more readable. Also, you wouldn't have any
> dependencies on sec internals.
>
> Just out of curiosity -- is my understanding correct that the lines
> you want to process are all appearing in the same input file:
>
> email:Mid 52364 Subject:'Hello World'
> email:Mid 52365 Subject:'Hello World'
> email:Mid 52366 Subject:'Hello World'
> email:Mid 52366 sender:'s...@sec.com'
> email:Mid 52365 sender:'ja...@sec.com'
> email:Mid 52364 sender:'pe...@sec.com'
>
> If that is the case, it might be cheaper not to repeatedly search the
> input file with Perl code which is expensive, but rather implement the
> same logic with sec rules. What is your actual goal for extracting the
> e-mail addresses based on subject lines? There might be a much shorter
> and more elegant way for addressing this problem.
>
> kind regards,
> risto
>
>
> > One create a 'SM_Hello World', other email context can be 'SM_Hello from
> > SEC', other one 'SM_Hallo Frank', 'SM_Julius notes', etc...
> >
> > Finally in the first email i just added the perl function that i
> designed to
> > search into the files this data.
> >
> > This one(Not working, because i add notes text between ##########):
> >
> > eval %o ( \
> > $i=0;\
> > my(@arraymids)=();\
> > ####################################\
> > #Here i want to read again the context and extract the values. Add to the
> > array for processing.\
> > @midcont=("52366","52365","52364");\
> > ###################################
> > @files = <C:\\files\\m*.log>;\
> > print "@files";\
> > if(@files){\
> > foreach $file (@files) {\
> > open (FILE, "$file");\
> > while($line= <FILE> ){\
> > my ($mid, $email)= $line=~ m/email:Mid\s(\d+)\ssender\:\'([^\']*)\'/gi;\
> > print "\n====>Vuelta\n";\
> > foreach my $lmid (@midcont) {\
> > print "\nMid fichero===>$mid\tlmid===>$lmid\n" if defined($mid);\
> > if ($mid == $lmid){\
> > my ($username, $domain) = $email =~ /(.*)@(.*)/;\
> > print "\nDOMAIN FINDED===>$domain\n";\
> > unshift(@arraymids, $domain);\
> > }\
> > }\
> > }\
> > }\
> > if($arraymids[0] eq $arraymids[1] && $arraymids[0] eq $arraymids[2]){\
> > print "\n=======>SAME DOMAIN\n";\
> > }else{\
> > print "\n=======>Different DOMAIN\n";\
> > }\
> > }else{\
> > print "========>NO FILES TO SEARCH";\
> > }\
> > );reset 0;
> >
> >
> >
> > Thank you Risto again. Regards.
> >
> > 2016-10-01 12:50 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
> >>
> >> 2016-09-30 12:20 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
> >> > Hi Risto,
> >> >
> >> > I have a little doubt that i haven´t seen in the documentation.
> >> > I want to detect and keep some data from the logs and then read the
> >> > context
> >> > again and extract this data to process this info throught a perl
> >> > function.
> >> >
> >>
> >> ...
> >>
> >> > action = eval %o ( \
> >> > $i=0;\
> >> > my(@arraymids)=();\
> >> > ####################################\
> >> > #Here i want to read again the context and extract the values. Add to
> >> > the
> >> > array for processing.\
> >> > @midcont=("52366","52365","52364");\
> >> > ###################################
> >>
> >> I am still not sure whether I have understood the problem correctly,
> >> but if you would like to access the event store of the SEC context
> >> from a Perl function/expression, I would recommend to use the 'copy'
> >> action before the Perl code is invoked. For example, if the event
> >> store of context TEST contains events "test1", "test2" and "test3",
> >> then the following action
> >>
> >> copy TEST %events
> >>
> >> will set the action list variable %events to the following string
> >> "test1<NEWLINE>test2<NEWLINE>test3".
> >> After the %events variable has been set, you can pass it as an input
> >> parameter to the Perl function invoked with 'lcall' action. If you are
> >> using 'eval', the %events variable can be directly accessed from the
> >> Perl code, since it is substituted before each compilation and
> >> execution. (Again, I would take the opportunity and recommend the use
> >> of 'lcall' instead of 'eval', since 'lcall' is much more efficient.)
> >>
> >> kind regards,
> >> risto
> >
> >
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
