Hi David,
Here's your same rule and same regular expressions using ptype=regexp instead
of using perlfunc:
type=pair
ptype=regexp
pattern=User <([^\s]+)>.+IP
<([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>.+IPv4 Address
<([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>
desc=Get Name - Global Address - Local Address
action=tcpsock 10.3.0.85:514 LzEC VPN Address Mapping - User="$1" - Global
Address ="$2" - Local Address = "$3"%{.nl};
ptype2=regexp
pattern2=Username = ($1).+IP = ($2).+Duration:
([0-9]{1,2}h:[0-9]{1,2}m:[0-9]{1,2}s).+xmt: ([0-9]+).+rcv: ([0-9]+)
desc2=Add Local Address To Disconnect Message
action2=tcpsock 10.3.0.85:514 LzEC VPN Disconnect - User="$1" Global
Address="$2" Local Address="%3" Duration="$3" Xmit Bytes="$4 Rcv
Bytes="$5"%{.nl};
Notice action2 with local address from the first pattern as %3, and for the
second pattern, $3 is used for Duration.
Regards,
Rock
From: David Thomas [mailto:dtho...@kwiktrip.com]
Sent: Thursday, October 03, 2019 3:35 PM
To: simple-evcorr-users@lists.sourceforge.net
Subject: [Simple-evcorr-users] Accessing A Perl Hash From Pattern1 In Pattern 2
I'm running into an issue with a correlation I'm trying to implement and I'm
hoping you can help.
Event 1 happens when a user logs into a vpn. It has the user's name the global
address and the local address assigned by the vpn.
Event 2 happens when the user logs off the vpn. It has the user's name, the
global address, the duration and amount of traffic.
My objective is to get the local address from event 1 and combine it with the
information from event 2.
I'm using a hash to get the name and both addresses from event 1. Then in
pattern 2 I reference that to see if the user name and global address match and
add the local address from the hash. What I'm trying now is below.
I'm getting messages from action2 tcp sock so it seems like I'm matching the
pattern but the values of the hash keys that come from pattern 1 are empty.
Here is an example of what I'm getting:
VPN Disconnect - User="" Global Address="" Local Address=""
Duration="0h:03m:07s" Xmit Bytes="1689622 Rcv Bytes="34370"
Here is the .sec file I'm currently using. I'm hoping someone can point out
what I'm doing wrong. Thanks!
type=pair
ptype=PerlFunc
pattern=sub { my(%var); \
if ($_[0] !~ /User <([^\s]+)>.+IP
<([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>.+IPv4 Address
<([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})>/) { return 0; } \
$var{"user"} = $1; \
$var{"global_address"} = $2; \
$var{"local_address"} = $3; \
return \%var; }
desc=Get Name - Global Address - Local Address
action=tcpsock 10.3.0.85:514 LzEC VPN Address Mapping - User="$+{user}" -
Global Address ="$+{global_address}" - Local Address =
"$+{local_address}"%{.nl};
ptype2=PerlFunc
pattern2=sub { my(%var); \
if ($_[0] !~ /Username = $+{user}.+IP = $+{global_address}.+Duration:
([0-9]{1,2}h:[0-9]{1,2}m:[0-9]{1,2}s).+xmt: ([0-9]+).+rcv: ([0-9]+)/) { return
0; } \
$var{"duration"} = $1; \
$var{"xmit_bytes"} = $2; \
$var{"rcv_bytes"} = $3; \
return \%var; }
desc2=Add Local Address To Disconnect Message
action2=tcpsock 10.3.0.85:514 LzEC VPN Disconnect - User="$+{user}" Global
Address="$+{global_address}" Local Address="$+{local_address}"
Duration="$+{duration}" Xmit Bytes="$+{xmit_bytes} Rcv
Bytes="$+{rcv_bytes}"%{.nl};
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
