hi Sean,
I was quite puzzled why the ruleset you have posted is not working, and
after testing it several times and looking at the rules, I think I found
the reason. When you look at the 'context' field of the second rule, there
is an extra semicolon at the end of the context name (when the rule file is
loaded and parsed, it is treated as a part of the context name). Therefore,
the 'context' field is not checking the presence of the right context.
After removing that semicolon, the second rule started to produce the
matches :-)
kind regards,
risto
Kontakt Sean Hennessey (<sean.hennes...@mercurygate.com>) kirjutas
kuupäeval P, 6. november 2022 kell 02:06:
> I’m trying to do something I think I possible, but it’s not quite working.
> I have a use case where I need to watch one central log file to catch a
> system that is going to fire off a sep process that creates a log I’m
> really interested in. I the rules that do this just fine. It uses the
> addinput and dropinput to pull in and out files.
>
>
>
> My issue comes in watching these other log files. Each one of these file
> is logging events I’m concerned about. Each file has threads. Those threads
> are unique in that file, but not across files. So thread 1 for example is
> going to be in all log files. I’m able to set a context that includes the
> filename and thread id w/ no problem on the rule that is picking up the
> first event I’m concerned about. My issue is then using the context= in the
> next rule to limit it to just that input.
>
>
>
> Here’s some examples I’ve tried:
>
>
>
> type=single
>
> ptype=regexp
>
> pattern=Action one.*Thread="Thread([0-9]+)"
>
> desc=Action one for $+{_inputsrc} thread $1
>
> action=create LK_$+{_inputsrc}_$1 86400;fill LK_$+{_inputsrc}_$1 %t;
>
>
>
> type=single
>
> continue=takenext
>
> ptype=regexp
>
> pattern="Thread([0-9]+)"
>
> context=LK_$+{_inputsrc}_$1;
>
> desc=got a line from $+{_inputsrc} for thread $1 winner winner
> ===LK_$+{_intcontext}_$1===
>
> action=delete LK_$+{_inputsrc}_$1;write - NL %t %var1 %s;
>
>
>
> type=single
>
> continue=takenext
>
> ptype=regexp
>
> pattern="Thread([0-9]+)"
>
> context=LK_inp.text_21
>
> desc=why only this one? got a line from $+{_inputsrc} for thread $1
> +++$+{_intcontext}+++ ===$+{_inputsrc}=== _$1_
>
> action=pop LK_$+{_inputsrc}_$1 %var1;delete LK_$+{_inputsrc}_$1;write - NL
> %t %var1 %s;
>
>
>
>
>
> sec --conf=testing.sec --intevents --intcontexts --nochildterm
> --input=inp.text --debug=6
>
> SEC (Simple Event Correlator) 2.8.2
>
> Reading configuration from testing.sec
>
> 3 rules loaded from testing.sec
>
> No --bufsize command line option or --bufsize=0, setting --bufsize to 1
>
> Opening input file inp.text
>
> Interactive process, SIGINT can't be used for changing the logging level
>
> Creating SEC internal context 'SEC_INTERNAL_EVENT'
>
> Creating SEC internal event 'SEC_STARTUP'
>
> Deleting SEC internal context 'SEC_INTERNAL_EVENT'
>
>
>
>
>
> Now I feed in one line:
>
> echo 'INFO [2022-11-05 16:24:58,506] Action one Thread="Thread21", "' >>
> inp.text
>
>
>
> I get:
> Creating context 'LK_inp.text_21'
>
> Filling context 'LK_inp.text_21' with event(s) 'Sat Nov 5 19:24:55 2022'
>
>
>
> If I create the sec.dump file I see this as far as what contexts are there:
> List of contexts:
>
> ============================================================
>
> Context Name: LK_inp.text_21
>
> Creation Time: Sat Nov 5 19:24:55 2022
>
> Lifetime: 86400 seconds
>
> 1 events associated with context:
>
> Sat Nov 5 19:24:55 2022
>
> ------------------------------------------------------------
>
> Total: 1 elements
>
>
>
> I now feed in the other line:
>
> echo 'INFO [2022-11-05 16:24:58,506] Action two Thread="Thread21", "' >>
> inp.text
>
>
>
> Rule 3 ends up firing and not rule 2:
>
> Pop the last element of context 'LK_inp.text_21' event store into variable
> '%var1'
>
> Variable '%var1' set to 'Sat Nov 5 19:24:55 2022'
>
> Deleting context 'LK_inp.text_21'
>
> Context 'LK_inp.text_21' deleted
>
> Writing event 'NL Sat Nov 5 19:26:25 2022 Sat Nov 5 19:24:55 2022 why
> only this one? got a line from inp.text for thread 21
> +++_FILE_EVENT_inp.text+++ ===inp.text=== _21_' to file '-'
>
> NL Sat Nov 5 19:26:25 2022 Sat Nov 5 19:24:55 2022 why only this one?
> got a line from inp.text for thread 21 +++_FILE_EVENT_inp.text+++
> ===inp.text=== _21_
>
>
>
> Rule 3 is able to delete the context just fine, so I know the
> $+{_inputsrc} is being evaluated correctly. Can it not be evaluated in the
> context= line?
>
>
>
> Can someone guide me w/ a way to get this work?
>
>
>
> Thanks in advance
>
> Sean
>
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
