Thanks for the detailed explanation. Appreciate your work Risto. Tom Damon LogZilla
From: Risto Vaarandi <risto.vaara...@gmail.com> Date: Thursday, April 11, 2024 at 5:38 PM To: Tom Damon <t...@logzilla.net> Cc: simple-evcorr-users@lists.sourceforge.net <simple-evcorr-users@lists.sourceforge.net> Subject: Re: [Simple-evcorr-users] Problem with action2 hi Tom, the PairWithWindow rule works as follows (see also the documentation of the PairWithWindow rule in https://simple-evcorr.github.io/man.html#lbAP): step1) if the incoming event matches the pattern defined with the 'pattern' field, the rule either (a) starts a new event correlation operation if it does not exist yet, or (b) if the operation exists, the rule sends the event to the operation which consumes the event silently. step2) if the incoming event does not match the pattern defined with the 'pattern' field, the event is processed by all event correlation operations started by the rule, and the operations try to match this event against their 'pattern2' patterns. If any of the patterns matches, corresponding 'action2' of the relevant operation is executed. Given the scheme described above, if the 'pattern' field matches all events that 'pattern2' matches, all events are handled during step1 and no event will reach step2. You are seeing this behavior, since both patterns are identical in your rule definition. To fix that issue, you need to make the 'pattern' and 'pattern2' fields different enough, so that the first pattern would only match the specific event which should start the event correlation operation, whereas the second pattern would only match the event which should end the operation. kind regards, risto Kontakt Tom Damon via Simple-evcorr-users (<simple-evcorr-users@lists.sourceforge.net<mailto:simple-evcorr-users@lists.sourceforge.net>>) kirjutas kuupäeval N, 11. aprill 2024 kell 23:34: Hello list, I’m trying to get this rule working. The action works, but action2 does not. What am I missing? type=PairWithWindow ptype=regexp pattern=host.(\S+)\s+subtype=\S+\smessage=.*User-ID-Agent\s+(\S+)\s(\S+): desc=(WARNING) $1 is $3 from $2 action=pipe 'sending' /etc/logzilla/scripts/sec.sh '%s' ptype2=regexp pattern2=host.(\S+)\s+subtype=\S+\smessage=.*User-ID-Agent\s+(\S+)\s(\S+): desc2=(NOTICE) You seeing this means, we have seen a recovery event. action2=pipe 'sending' /etc/logzilla/scripts/sec.sh 'recovered' window=5 Thanks, Tom Damon LogZilla _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net<mailto:Simple-evcorr-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
