hi Michael, there are a couple of ways to address this problem. Firstly, instead of using sec match variables, one can set up Perl's native variables for sharing data between rules. For example, the regular expression pattern of the first rule can be easily converted into perlfunc pattern, so that the pattern would assign the hostname to Perl global variable $hostname. This global variable can then be accessed in perfunc patterns of other rules. Here is an example that illustrates the idea:
type=Single ptype=perlfunc pattern=sub { if ($_[0] =~ /^\w+\s+[0-9]+ [0-9]+:[0-9]+:[0-9]+ (.+?) /) \ { $hostname = $1; } else { $hostname = ""; } return 1; } desc=hostname action=none continue=TakeNext type=Jump ptype=perlfunc pattern=sub { return 1 if $hostname =~ m/^first-use-case/ } cfset=rules-for-this-match-1 type=Jump ptype=perlfunc pattern=sub { return 1 if $hostname =~ m/^second-use-case/ } cfset=rules-for-this-match-2 Since SEC supports caching the results of pattern matching, one could also store the matching result from the first rule into cache, and then retrieve the result from cache with the 'cached' pattern type. Since this pattern type assumes that the name of the cached entry is provided in the 'pattern' field, the hostname check with a perl function has to be implemented in a context expression (the expression is evaluated after the pattern match). Here is an example which creates an entry named SYSLOG in a pattern match cache, so that all match variables created in the first rule can be retrieved in later rules. Note that the entry is created in the 'varmap' field which also sets up named match variable $+{hostname}. In further rules, the 'cached' pattern type is used for retrieving the SYSLOG entry from cache, and creating all match variables from this entry. In order to check the hostname, the $+{hostname} variable that was originally set in the first rule is passed into perlfunc patterns in the second and third rule. Also, if you need to check more than just few match variables in perlfunc pattern, it is more efficient to pass a reference to the whole cache entry into the Perl function, so that individual cached match variables can be accessed through the reference (I have added an additional fourth rule into the example which illustrates this idea): type=Single ptype=RegExp pattern=^\w+\s+[0-9]+ [0-9]+:[0-9]+:[0-9]+ (.+?) .+ varmap=SYSLOG; hostname=1 desc=hostname action=none continue=TakeNext type=Jump ptype=cached pattern=SYSLOG context=$+{hostname} -> ( sub { return 1 if $_[0] =~ m/^first-use-case/ } ) cfset=rules-for-this-match-1 type=Jump ptype=cached pattern=SYSLOG context=$+{hostname} -> ( sub { return 1 if $_[0] =~ m/^second-use-case/ } ) cfset=rules-for-this-match-2 type=Jump ptype=cached pattern=SYSLOG context=SYSLOG :> ( sub { return 1 if $_[0]->{"hostname"} =~ m/^third-use-case/ } ) cfset=rules-for-this-match-3 A small side-note about the first rule -- you can also create the $+{hostname} variable in the regular expression itself by rewriting it as follows: ^\w+\s+[0-9]+ [0-9]+:[0-9]+:[0-9]+ (?<hostname>.+?) .+ And in that case, you can rewrite the 'varmap=SYSLOG; hostname=1' statement in the first rule simply as 'varmap=SYSLOG'. Hopefully these examples are useful and help you to tackle the problem. kind regards, risto Hi- > > I'm sorry to ask what is probably very basic question, but I have > struggling with this for awhile (I have perused the manual a lot and the > mailing list a bit) and could use some guidance. > > The short version is: is there a way to take the results of a pattern > match in one rule and use that value in a perlfunc in another? > > More verbosely, at this time I use SEC for network syslog exclusion; > nothing fancy. I would like to start using Jump rules based on hostname. > Hostname is derived from the incoming log line. > > I thought I would be clever and use a single rule to determine if there > was a hostname or not, save it somewhere reusable, and then launch jump > rules based on that. > > something like > > type=Single > ptype=RegExp > pattern=^\w+\s+[0-9]+ [0-9]+:[0-9]+:[0-9]+ (.+?) .+ > varmap= hostname=1 > desc=hostname > action=assign %r $+{hostname} > continue=TakeNext > > type=Jump > ptype=perlfunc > pattern=sub { return 1 if $+{hostname} =~ m/^first-use-case/ } > cfset=rules-for-this-match-1 > > type=Jump > ptype=perlfunc > pattern=sub { return 1 if $+{hostname} =~ m/^second-use-case/ } > cfset=rules-for-this-match-2 > > I know this doesn't work. I understand that '%r' is not a perl hash, and > is an action list variable, and that $+{hostname} is undef inside the > type=Jump rule perlfunc. I also know that %r is being set correctly, I see > it in "variables -> r" if I do SIGUSR1 dump. > > So is it possible stash away a variable from one rule and use it in a Jump > rule like above? I can work around this easily by using a single rule like > below, but if I have for example 20 jump permutations, it seems quite > redundant to keep recalculating the hostname for comparison. > > type=Jump > ptype=perlfunc > pattern=sub { return 0 unless (defined($_[1]) && $_[0] =~ /^\w+\s+[0-9]+ > [0-9]+:[0-9]+:[0-9]+ (.+?) .+/); return 1 if $1 =~ m/^first-use-case/} > cfset=all-rules > > Thanks in advance, > -Michael > > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users