Could it be because the two patterns are identical thus you don't have a "recovered" string for the second to match on.
I haven't dug into this in years so I may be mistaken. Regards, Jon Frazier From: Tom Damon via Simple-evcorr-users <simple-evcorr-users@lists.sourceforge.net> Sent: Thursday, April 11, 2024 12:00 PM To: simple-evcorr-users@lists.sourceforge.net Subject: [External] [Simple-evcorr-users] Problem with action2 CAUTION: This email originated from outside of GM Financial and may contain unsafe content. Hello list, I'm trying to get this rule working. The action works, but action2 does not. What am I missing? type=PairWithWindow ptype=regexp pattern=host.(\S+)\s+subtype=\S+\smessage=.*User-ID-Agent\s+(\S+)\s(\S+): desc=(WARNING) $1 is $3 from $2 action=pipe 'sending' /etc/logzilla/scripts/sec.sh '%s' ptype2=regexp pattern2=host.(\S+)\s+subtype=\S+\smessage=.*User-ID-Agent\s+(\S+)\s(\S+): desc2=(NOTICE) You seeing this means, we have seen a recovery event. action2=pipe 'sending' /etc/logzilla/scripts/sec.sh 'recovered' window=5 Thanks, Tom Damon LogZilla
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
