Hi Risto, Thank you very much for your help. I have another question related to this problem.
Suppose we have the next entry in less than 60 seconds: EVENT_TYPE_A 1.1.1.1 <--- the beginning of input for SEC EVENT_TYPE_A 2.2.2.2 EVENT_TYPE_B 1.1.1.1 EVENT_TYPE_B 2.2.2.2 EVENT_TYPE_C 1.1.1.1 FINISH <--- (FINISH is also an event) the end of input for SEC We have the following rule: Rule 1: type=EventGroup2 ptype=RegExp pattern=EVENT_TYPE_A ([\d.]+) continue=TakeNext ptype2=RegExp pattern2=EVENT_TYPE_B ([\d.]+) continue2=TakeNext desc=Events A and B observed for IP $1 within 60 seconds action=logonly Events A and B observed for IP $1 window=60 Rule 2: type=EventGroup3 ptype=RegExp pattern=EVENT_TYPE_A ([\d.]+) continue=TakeNext ptype2=RegExp pattern2=EVENT_TYPE_B ([\d.]+) continue2=TakeNext ptype3=RegExp pattern3=EVENT_TYPE_C ([\d.]+) continue3=TakeNext desc=Events A, B and C observed for IP $1 within 60 seconds action=logonly Events A , B and C observed for IP $1 window=60 We get the following output: Events A and B observed for IP 1.1.1.1 Events A and B observed for IP 2.2.2.2 Events A , B and C observed for IP 1.1.1.1 I'm waiting for the next output: Events A and B observed for IP 2.2.2.2 Events A , B and C observed for IP 1.1.1.1 The idea is to reduce the output. Kind regards, Agustín ---------------------------------------------------------------------------------------------------------------------- hi Agustin, I have tried the rule from your e-mail, and I am able to get the output you are expecting: /usr/bin/sec --conf=test4.sec --input=- SEC (Simple Event Correlator) 2.8.2 Reading configuration from test4.sec 1 rules loaded from test4.sec No --bufsize command line option or --bufsize=0, setting --bufsize to 1 Opening input file - Interactive process, SIGINT can't be used for changing the logging level EVENT_TYPE_A 1.1.1.1 <--- the beginning of input for SEC EVENT_TYPE_A 2.2.2.2 EVENT_TYPE_B 1.1.1.1 EVENT_TYPE_B 2.2.2.2 <--- the end of input for SEC Writing event 'Events A and B observed for IP 1.1.1.1 within 60 seconds' to file '-' Events A and B observed for IP 1.1.1.1 within 60 seconds Writing event 'Events A and B observed for IP 2.2.2.2 within 60 seconds' to file '-' Events A and B observed for IP 2.2.2.2 within 60 seconds Are you sure that events for IP address 2.2.2.2 are separated by at most 60 seconds? If there is a larger time gap between those two events, the event correlation operation for 2.2.2.2 will not produce expected output. kind regards, risto
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
