Thank you Risto --sk
-----Original Message----- From: Risto Vaarandi <risto.vaara...@gmail.com> Sent: Tuesday, March 16, 2021 3:57 PM To: Stuart Kendrick <stua...@alleninstitute.org> Cc: simple-evcorr-users@lists.sourceforge.net Subject: Re: [Simple-evcorr-users] executing multiple actions CAUTION: This email originated from outside the Allen Institute. Please do not click links or open attachments unless you've validated the sender and know the content is safe. ________________________________ hi Stuart, if you want to specify multiple actions for the 'action' field of the rule, semicolon should indeed be used as a separator. However, the 'action' keyword with an equal sign should appear just once in the beginning of the rule field definition. Therefore, the example rule from your post would need one small modification: type=SingleWithSuppress ptype=regexp pattern=T(\d\d:\d\d:\d\d).*? (.*?) poll-radius.*?Radius auth request against (.*?) failed desc=$3 Radius auth request failed action=write /home/tocops/.tocpipe ops $1 Radius on $3 failedwindow=5; shellcmd /opt/local/script/send-sms -m %s -s sec -r stuartk window=60 hope this helps, risto Kontakt Stuart Kendrick (<stua...@alleninstitute.org>) kirjutas kuupäeval K, 17. märts 2021 kell 00:48: > > I am struggling to execute multiple actions. I don't see mention of how to > execute multiple actions in the sec man page > https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsimple-evcorr.github.io%2Fman.html&data=04%7C01%7C%7Cf2c4056b50c5440003a308d8e8cedf5a%7C32669cd6737f4b398bddd6951120d3fc%7C0%7C0%7C637515322513706559%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zRfg%2Fr740PVdtIRdLCamnqdFF8n8DF2czNefGDJt0wo%3D&reserved=0 > ... but from this page: > https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsimpl > e-evcorr.sourceforge.net%2FSEC-tutorial%2Farticle.html&data=04%7C0 > 1%7C%7Cf2c4056b50c5440003a308d8e8cedf5a%7C32669cd6737f4b398bddd6951120 > d3fc%7C0%7C0%7C637515322513706559%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4w > LjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdat > a=xK2HBnDZNYGw2HngfmDgHmKVvZcXriYbdXt1ohgTIZA%3D&reserved=0 > I believed that separating actions with semi-colons would be > sufficient > > > But perhaps not > > > This works: > # ----- Radius Auth Failure ----- > # > type=SingleWithSuppress > ptype=regexp > pattern=T(\d\d:\d\d:\d\d).*? (.*?) poll-radius.*?Radius auth request > against (.*?) failed > desc=$3 Radius auth request failed > action=shellcmd /opt/local/script/send-sms -m %s -s sec -r stuartk > window=60 > > As does this: > # ----- Radius Auth Failure ----- > # > type=SingleWithSuppress > ptype=regexp > pattern=T(\d\d:\d\d:\d\d).*? (.*?) poll-radius.*?Radius auth request > against (.*?) failed > desc=$3 Radius auth request failed > action=write /home/tocops/.tocpipe ops $1 Radius on $3 failedwindow=5 > window=60 > > But this does not: > # ----- Radius Auth Failure ----- > # > type=SingleWithSuppress > ptype=regexp > pattern=T(\d\d:\d\d:\d\d).*? (.*?) poll-radius.*?Radius auth request > against (.*?) failed > desc=$3 Radius auth request failed > action=write /home/tocops/.tocpipe ops $1 Radius on $3 failedwindow=5; > action=shellcmd /opt/local/script/send-sms -m %s -s sec -r stuartk > window=60 > > > 2021-03-16T15:09:56.146094-07:00 vishnu sec[7941]: Reading > configuration from /opt/local/etc/sec/service.conf > 2021-03-16T15:09:56.146198-07:00 vishnu sec[7941]: Rule in > /opt/local/etc/sec/service.conf at line 8: Invalid action 'action=shellcmd > /opt/local/script/send-sms -m %s -s sec -r stuartk' > 2021-03-16T15:09:56.146289-07:00 vishnu sec[7941]: Rule in > /opt/local/etc/sec/service.conf at line 8: Invalid action list ' write > /home/tocops/.tocpipe ops $1 Radius on $3 failedwindow=5; action=shellcmd > /opt/local/script/send-sms -m %s -s sec -r stuartk ' > 2021-03-16T15:09:56.146363-07:00 vishnu sec[7941]: No valid rules > found in configuration file /opt/local/etc/sec/service.conf > > Is executing multiple actions supported? If so, do I need more than a > semi-colon in terms of syntax? > > --sk > > Stuart Kendrick > Allen Institute > > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist > s.sourceforge.net%2Flists%2Flistinfo%2Fsimple-evcorr-users&data=04 > %7C01%7C%7Cf2c4056b50c5440003a308d8e8cedf5a%7C32669cd6737f4b398bddd695 > 1120d3fc%7C0%7C0%7C637515322513706559%7CUnknown%7CTWFpbGZsb3d8eyJWIjoi > MC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000& > sdata=HyeFhhdti9w3Lo7Wx9zJkFqKYrympC8DQg6EfUX0ChQ%3D&reserved=0 _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
