Hello Stuart. Since you are, from what I can see, trying to match portions of text between ASCII spaces with ".*?", why don't you avoid non-greedy quantifiers, opting for a clearer \S+ or [^ ]+, matching specifically on sequences of 1 or more non-whitespace characters (I guess there will always be more than one)? That's more specific and avoids the repeated backtracking of non-greedy quantifiers.
As to why the suppression does not take place, reading from the sec man page on the SingleWithSuppress rule description: "When an event has matched the rule, SEC evaluates the operation description string given with the desc field. If the operation for the given string and rule does not exist, SEC will create it with the lifetime of T seconds, and the operation immediately executes an action list. If the operation exists, it consumes the matching event without any action." Now, correct me if I am wrong but your "desc" contains the exact time, from hour to second, of each event. Therefore it can be unique only once every day and every event has got a different desc string. For instance, for the log line you've posted, the desc string ought to be "Native VLAN mismatch reported on 05:01:47". If that's what you meant the following event might, for instance, have a desc string such as "Native VLAN mismatch reported on 05:02:37", which is different from the previous desc line and therefore is not correlated to the first as a new instance of the same event. Did you perhaps wish to use the hostname ( $2 ) in the desc line? (I hope I didn't make any glaring mistake in my interpretation. I guess Risto might be able to correct me in that case.) Have a good day, Fulvio Scapin Il giorno mer 12 feb 2020 alle ore 18:42 Stuart Kendrick < stua...@alleninstitute.org> ha scritto: > Given the following in the log line: > > > > 2020-02-12T05:01:47.606728-08:00 5n-2-esx-mgmt 32231: 032195: Feb 12 > 05:01:46.600 pst: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch > discovered on GigabitEthernet3/0/18 (64), with > 5n-1-esx.corp.alleninstitute.org GigabitEthernet2/0/42 (60). > > > > And the following sec.conf stanza: > > > > type=SingleWithSuppress > > ptype=regexp > > pattern=T(\d\d:\d\d:\d\d).*? (.*?) .*%CDP-4-NATIVE_VLAN_MISMATCH: (.*) > > desc=Native VLAN mismatch reported on $1 > > action=write /home/tocops/.tocpipe ops $1 $2 $3 > > window=3600 > > > > I would have predicted that the ‘action’ would be performed once/hour > (given a steady stream of these messages, which is what I am seeing) > > > > In fact, the action does not get performed > > > > > > In contrast, the following snippet does result in the action being execute > (although the suppression window isn’t honored) > > > > type=singleWithSuppress > > ptype=regexp > > pattern=T(\d\d:\d\d:\d\d).*? (.*?) .*%CDP-4-NATIVE_VLAN_MISMATCH: Native > VLAN mismatch discovered on (\S+) \((\d+)\), with (\S+) (\S+) \((\d+)\) > > desc=Native VLAN mistmatch reported between $1 interface $2 (native VLAN > $3) and host $4 interface $5 (native VLAN $6) > > action=write /home/tocops/.tocpipe ops $1 $2 Native VLAN Mismatch on > interface $3 (native VLAN $4) and $5 interface $6 (native VLAN $7) > > window=3600 > > > > Is there some aspect of pattern matching on “.*” that I am not > understanding? > > > > --sk > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
