2018-02-12 11:54 GMT+02:00 Jaren Peich <burkol...@gmail.com>:

> Hi,
>
> Thanks again for your response.
>
> The first doubt i still canĀ“t understand. I just solved adding a rule like
> this and it starts processing.
>
> type=Single
> ptype=SubStr
> pattern=SEC_STARTUP
> context=SEC_INTERNAL_EVENT
> desc=init Signal
> action=create SIGNALSCONTEXT; event reloadSec;
>
> Here is the output for the doubt 1 when the rule above is not added:
>
> Mon Feb 12 10:24:11 2018: SEC (Simple Event Correlator) 2.6.2
> Mon Feb 12 10:24:11 2018: Reading configuration from
> c:\alerts\iniSignals.conf
> Mon Feb 12 10:24:11 2018: Reading configuration from
> c:\alerts\SecSignalsRules.conf
> Mon Feb 12 10:24:11 2018: Reading configuration from c:\alerts\parser.conf
> Mon Feb 12 10:24:11 2018: Reading configuration from
> c:\alerts\conditions.conf
> Mon Feb 12 10:24:11 2018: Reading configuration from
> c:\alerts\alert001\Filter001.conf
> Mon Feb 12 10:24:11 2018: Reading configuration from
> c:\alerts\alert001\Alert001.conf
>
> And here Stops till the hour is reached in calendar rule.
>
>
Is my understanding correct that sec does not process any input events
until the Calendar rule fires? Based on the rules from your last two posts,
I have created a rule base for testing purposes (test.sec rule file), and
started sec with the following command line:
sec-2.6.2/sec --conf=test.sec --intevents --input=-

The content of test.sec file is the following:

type=Single
ptype=SubStr
pattern=SEC_STARTUP
context=SEC_INTERNAL_EVENT
continue=TakeNext
desc=Load the Signals module and terminate if it is not found
action=eval %ret (require "/home/risto/SecSignals.pm"); \
       eval %ret (exit(1) unless %ret);

type = single
continue=dontcont
desc = do a soft restart of SEC
context = SIGNALSCONTEXT
ptype = regexp
pattern = ^reloadSec
action = lcall %r ABRT -> ( sub { SecSignals::fake_signal_handler(@_) } ); \
         delete SIGNALSCONTEXT;

type=Calendar
time=*/5 * * * *
desc=$0
action= create SIGNALSCONTEXT; event reloadSec;

type=Single
ptype=regexp
pattern=.
desc=match everything and echo to stdout
action=write - $0

As you can see, I don't have the rule which would generate reloadSec event
when sec starts up (that would simply load the configuration again which is
thus pointless). The fourth rule which echoes input lines to standard
output works as expected and there is no hanging or delay of any sort:

sec-2.6.2/sec --conf=test.sec --intevents --input=-

SEC (Simple Event Correlator) 2.6.2
Reading configuration from test.sec
4 rules loaded from test.sec
Opening input file -
Stdin connected to terminal, SIGINT can't be used for changing the logging
level
Creating SEC internal context 'SEC_INTERNAL_EVENT'
Creating SEC internal event 'SEC_STARTUP'
Evaluating code 'require "/home/risto/SecSignals.pm"' and setting variable
'%ret'
Variable '%ret' set to '1'
Evaluating code 'exit(1) unless 1' and setting variable '%ret'
Variable '%ret' set to '1'
Writing event 'SEC_STARTUP' to file -
SEC_STARTUP
Deleting SEC internal context 'SEC_INTERNAL_EVENT'
aaaaaaaaaaaa  <--- input from keyboard
Writing event 'aaaaaaaaaaaa' to file -
aaaaaaaaaaaa
bbbbbbbbbbbbb  <--- input from keyboard
Writing event 'bbbbbbbbbbbbb' to file -
bbbbbbbbbbbbb
ccccccccccccc  <--- input from keyboard
Writing event 'ccccccccccccc' to file -
ccccccccccccc
dddddddddddddd  <--- input from keyboard
Writing event 'dddddddddddddd' to file -
dddddddddddddd


Therefore, I have two hypotheses:
1) paths to input files have been specified incorrectly,
2) at some point, custom perl code is invoked from your rulebase which does
not return.

Have you tried your rules with a test input file and what log messages does
it produce?

kind regards,
risto
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to