Hi Risto,

Adding “—intevents” fixed the issue, per your suggestion.  Thank you for your 
assistance.

1) sec has been started without --intevents option. As a result, SEC_STARTUP 
internal event is not generated and %arrayid_to_lnn hash will not be 
initialized,

cat /etc/systemd/system/sec.service
[Unit]
Description=Simple Event Correlator
AssertFileIsExecutable=/opt/local/script/sec
AssertPathExistsGlob=/opt/local/etc/sec/*.conf
After=syslog.target network.target

[Service]
Type=simple
ExecStart=/opt/local/script/sec --conf=/opt/local/etc/sec/*.conf 
--input=/var/log/syslog --tail --syslog=local0 --nodetach 
--pid=/var/run/sec.pid --quoting --intevents
#ExecStart=/opt/local/script/sec --conf=/opt/local/etc/sec/*.conf 
--input=/var/log/syslog --tail --nodetach --pid=/var/run/sec.pid --quoting 
--intevents --debug=6 --log=/opt/local/var/sec/sec-debug.log
ExecReload=/bin/kill -HUP $MAINPID
User=root

[Install]
WantedBy=multi-user.target

--sk


From: Risto Vaarandi [mailto:risto.vaara...@gmail.com]
Sent: Saturday, August 05, 2017 8:16 AM
To: Stuart Kendrick <stua...@alleninstitute.org>
Cc: simple-evcorr-users@lists.sourceforge.net
Subject: Re: [Simple-evcorr-users] look-up a string in a hash, then write hash 
value

hi Stuart,

I have tried out your ruleset with the test event you have provided, with 
/home/tocops/.tocpipe replaced with - (standard output). I have found no issues 
with the ruleset and it works as expected:

sec --conf=stuart.sec  --input=-  --intevents

SEC (Simple Event Correlator) 2.7.8
Reading configuration from stuart.sec
2 rules loaded from stuart.sec
No --bufsize command line option or --bufsize=0, setting --bufsize to 1
Opening input file -
Interactive process, SIGINT can't be used for changing the logging level
Creating SEC internal context 'SEC_INTERNAL_EVENT'
Creating SEC internal event 'SEC_STARTUP'
Calling code 'CODE(0x2e7af58)' and setting variable '%o'
Variable '%o' set to '1'
Deleting SEC internal context 'SEC_INTERNAL_EVENT'

2017-08-03T06:07:31-07:00 isilon-cluster-10 /boot/kernel.amd64/kernel: 
[gmp_info.c:1863](pid 38910="kt: gmp-config")(tid=103609) new group: <3,2302>: 
{ 3-6:0-34, 8:0-20,22-31,33-34,36-37, 9:1-21,24, 10-11:0-21, 12-13:0-34, 
18:0-21, 21:0-34, 22:0-21, 24:0-34, down: 23, smb: 3-6,8-13,18,21-22,24, nfs: 
3-6,8-13,18,21-22,24, all_enabled_protocols: 3-6,8-13,18,21-22,24 }

Calling code 'CODE(0x2e761d0)' and setting variable '%node'
Variable '%node' set to '7'
Writing event 'ops 06:07:31 isilon-cluster-10 Down Nodes: 7' to file '-'

ops 06:07:31 isilon-cluster-10 Down Nodes: 7


For initializing the %arrayid_to_lnn hash, I have used the following rule from 
one of your previous posts:

# Global variables
type=Single
ptype=SubStr
pattern=SEC_STARTUP
context=SEC_INTERNAL_EVENT
desc=initialize array-id to node mapping hash
action=lcall %o-> (sub {\
                         %arrayid_to_lnn = (21 => 1,\
                                            24 => 2,\
                                             3 => 3,\
                                             4 => 4,\
                                             5 => 5,\
                                             6 => 6,\
                                            23 => 7,\
                                             8 => 8,\
                                             9 => 9,\
                                            10 => 10,\
                                            11 => 11,\
                                            12 => 12,\
                                            13 => 13,\
                                            18 => 14,\
                                            22 => 15,\
                                           );\
                         return 1;\
                        }\
                    )

I have couple of guesses why the ruleset is not working for you:
1) sec has been started without --intevents option. As a result, SEC_STARTUP 
internal event is not generated and %arrayid_to_lnn hash will not be 
initialized,
2) perhaps there are other rules which can modify %arrayid_to_lnn under 
specific circumstances, and the mapping 23 => 7 has been erased?
If you would like to debug this issue, perhaps it is possible to add the 
following action into the rule:

lcall %arraykeys -> ( sub { join(" ", keys %arrayid_to_lnn) } )
This action will set the %arraykeys action list variable to all array IDs for 
which mapping exists, so that individual IDs are separated by a space 
character. Seeing the value of %arraykeys in sec debug log will help to 
investigate the current state of %arrayid_to_lnn hash table.
kind regards,
risto



2017-08-05 1:18 GMT+03:00 Stuart Kendrick 
<stua...@alleninstitute.org<mailto:stua...@alleninstitute.org>>:
>
> Ah, I fumbled sending the correct stanza.  The rule which concerns me is 
> actually this one:
>
>
>
>
>
> type=SingleWithSuppress
>
> ptype=regexp
>
> pattern=T(\d\d:\d\d:\d\d)\-\d\d:\d\d (.*?) .*gmp.info.c.* new group:.* 
> down:\s+(.*?),\s
>
> desc=Down Nodes: $3
>
> window=5
>
> action=lcall %node $3 -> ( sub { $arrayid_to_lnn{$_[0]} } );\
>
>   if %node (write /home/tocops/.tocpipe ops $1 $2 Down Nodes: %node) else ( 
> write /home/tocops/.tocpipe ops $1 $2 Down Nodes: $3)
>
> #action=write /home/tocops/.tocpipe ops $1 $2 Down Nodes: $3
>
>
>
> Recall that the syslog line looks like this:
>
> 2017-08-03T06:07:31-07:00 isilon-cluster-10 /boot/kernel.amd64/kernel: 
> [gmp_info.c:1863](pid 38910="kt: gmp-config")(tid=103609) new group: 
> <3,2302>: { 3-6:0-34, 8:0-20,22-31,33-34,36-37, 9:1-21,24, 10-11:0-21, 
> 12-13:0-34, 18:0-21, 21:0-34, 22:0-21, 24:0-34, down: 23, smb: 
> 3-6,8-13,18,21-22,24, nfs: 3-6,8-13,18,21-22,24, all_enabled_protocols: 
> 3-6,8-13,18,21-22,24 }
>
> So I claim that $3 is, in fact, set to ‘23’ – I have confirmation on this 
> because my management application (which reads /home/tocops/.tocpipe) posts 
> the following to its interface:
>
>
>
> 06:07:31 isilon-cluster-10 Down Nodes: 23
>
>
>
> I speculate that the ‘else’ clause executed, which would produce this result.
>
>
>
> So I claim I’m back to:
>
> I don’t understand why “sub { $arrayid_to_lnn{23} “ does not return ‘7’
> And more generically, what approaches would you suggest to trouble-shooting 
> action lines, plus embedded Perl?
>
> Is there a way to add print statements, for example?  I am imagining 
> something like:
>
>
>
> action=lcall %node $3 -> ( sub { print “I got $_[0]\n”; 
> $arrayid_to_lnn{$_[0]} } );\
>
>   if %node (write /home/tocops/.tocpipe ops $1 $2 Down Nodes: %node) else ( 
> write /home/tocops/.tocpipe ops $1 $2 Down Nodes: $3)
>
>
>
> Other suggestions for adding debug / trace / print information to the 
> execution of action statements?
>
>
>
> [BTW:  thank you for pointing out that the example I posted – about drives 
> changing to ‘up’ – won’t work – I had blindly copied my ‘Down Node’ approach 
> to the ‘Drive Change’ stanzas – I will go back and fix this.]
>
>
>
> --sk
>
>
>
>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to