...one additional note -- SEC official documentation on the 'while'
action has other relevant examples about processing context event
stores (you can find them in the end of the "ACTIONS, ACTION LISTS AND
ACTION LIST VARIABLES" section of SEC man page:
https://simple-evcorr.github.io/man.html#lbAI).
kind regards,
risto
>
> hi Penelope,
>
> since 'obsolete' is a SEC action, it can not be called in Perl, but
> you rather need some sort of loop written in the SEC rule language.
> Fortunately, SEC supports the 'while' action that executes an action
> list as long as the given action list variable evaluates true in
> boolean context. That allows you to write a loop for processing a
> context event store, since there is 'getsize' action for finding the
> number of events in the store, and 'shift' (or 'pop') action for
> removing an element from the beginning (or end) of the store. For
> taking advantage of this functionality for your task, you just have to
> write relevant context names into the event store of some context, and
> then process this context with a loop.
>
> Here is an example ruleset that illustrates the idea:
>
> type=Single
> ptype=SubStr
> pattern=SEC_SHUTDOWN
> context=SEC_INTERNAL_EVENT
> desc=Save contexts msg_* into /tmp/report.* on shutdown
> action=lcall %ret -> ( sub { join("\n", grep { /^msg_/ } keys
> %main::context_list) } ); \
> fill BUFFER %ret; getsize %size BUFFER; \
> while %size ( shift BUFFER %name; obsolete %name; getsize %size BUFFER
> )
>
> type=single
> ptype=regexp
> pattern=create (\S+)
> desc=create the $1 context
> action=create $1 3600 ( report $1 /bin/cat > /tmp/report.$1 )
>
> type=single
> ptype=regexp
> pattern=add (\S+) (.+)
> desc=add string $2 to the $1 context
> action=add $1 $2
>
> The 'lcall' action in the first rule executes the following Perl code:
> join("\n", grep { /^msg_/ } keys %main::context_list)
> This code is matching all context names with the "msg_" prefix and
> joining such names into a multiline string.
> The following 'fill' action splits this multiline string by newline,
> and writes individual context names into the event store of the BUFFER
> context.
> The number of context names in the event store is then established
> with getsize %size BUFFER, and then the 'while' loop gets executed:
> while %size ( shift BUFFER %name; obsolete %name; getsize %size BUFFER)
> Inside the loop, context names are taken from the event store one by
> one, and the 'obsolete' action is called for each context name.
>
> One note of caution -- 'obsolete' triggers the 'report' action which
> forks a separate process, and a forked process has 3 seconds for
> finishing its work before receiving TERM signal from SEC (if the
> process has to run longer, a signal handler must be set up for TERM).
>
> Hopefully the above rule example is useful.
>
> kind regards,
> risto
>
>
>
> Kontakt sec-user--- via Simple-evcorr-users
> (<simple-evcorr-users@lists.sourceforge.net>) kirjutas kuupƤeval T,
> 15. detsember 2020 kell 01:39:
> >
> > Hello!
> >
> > I'm dabbling with SEC, experimenting with adding lines into contexts and
> > only when the context is finished, decide what to do with it. Essentially
> > it's taking a look at the group of log messages emitted by sendmail for
> > every connection, looking for behaviour that is not consistent with being
> > an honored guest on the internet, and blocking the source with iptables and
> > ipset.
> >
> > The problem is that I'm testing with the same input file over and over, but
> > the 'report' actions aren't running because the entire log file is
> > processed in less than 10 seconds:
> >
> > sec --conf sendmail.test \
> > --input /tmp/all.logs \
> > --fromstart \
> > --notail \
> > --bufsize=1 \
> > --log=- \
> > --intevents \
> > --intcontexts \
> > --debug=50
> >
> > Rather than write some perl to run in the SEC_SHUTDOWN internal event to
> > write the context buffers to files, I'd really rather just run the
> > 'obsolete' action on all contexts. Is there a straightforward way to do
> > that?
> >
> > type=Single
> > ptype=SubStr
> > pattern=SEC_SHUTDOWN
> > context=SEC_INTERNAL_EVENT
> > desc=Save contexts msg_* into /tmp/report.* on shutdown
> > action=logonly; lcall %ret -> ( sub { my($context); \
> > foreach $context (keys %main::context_list) { obsolete $context; } \
> > } )
> >
> > Mon Dec 14 14:49:34 2020: Code 'CODE(0x560fca302fb8)' runtime error: Can't
> > locate object method "obsolete" via package "msg_sendmail[4208]" (perhaps
> > you forgot to load "msg_sendmail[4208]"?) at (eval 9) line 1.
> >
> > For better testing, it would be cool if SEC's idea of the current time
> > could be derived from the timestamps in the log file instead of wall-clock
> > time, so that context actions happen at the right time relative to log
> > messages (rather than 30 seconds after the program ends! :-), but that's
> > probably a bit too much to ask for.
> >
> > Thanks!
> >
> > --
> >
> > Penelope Fudd
> >
> > sec-u...@ch.pkts.ca
> > _______________________________________________
> > Simple-evcorr-users mailing list
> > Simple-evcorr-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
