Hi again, Here the info from my engine execution:
KnowledgeBaseConfiguration config = KnowledgeBaseFactory.newKnowledgeBaseConfiguration(); config.setOption( EventProcessingOption.STREAM ); KnowledgeBase kbase = KnowledgeBaseFactory.newKnowledgeBase(config); kbase.addKnowledgePackages(kbuilder.getKnowledgePackages()); SessionConfiguration sessionConf = new SessionConfiguration(); sessionConf.setClockType(ClockType.REALTIME_CLOCK); ksession = kbase.newStatefulKnowledgeSession( sessionConf, env); An here the inserting method: ksession.getWorkingMemoryEntryPoint("Correlator").insert(fact); ksession.fireAllRules(); So I dont understand why my CEP rules never fires ... Thanks again, nestabur 2009/7/22 Nestor Tarin Burriel <nesta...@gmail.com> > Hi Edson, > > Thanks for the fix, but the problem still happens :( > > Here my complete .drl file: > > package Correlator > global com.s2grupo.triton.global.Context Context > > declare Snort > @role( event ) > icmp_code: String > tcp_sport: String > data: String > sig_rev: String > tcp_dport: String > udp_sport: String > hostname: String > interface: String > sig_priority: String > icmp_type: String > id: java.lang.Long > sig_class_name: String > ip_dst: String > sig_name: String > udp_dport: String > ip_src: String > event_date: java.util.Date > end > > rule "SnortRule" > salience 2 > dialect "mvel" > when > $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point > "Correlator" > $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, > ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator" > then > System.out.println("****************** Snort Alert!!!!" + > $s1.getData()); > retract($s1); > end > > > rule "SnortRuleRetract" > salience 1 > dialect "mvel" > when > $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point > "Correlator" > $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id, > this after [0m,5m] $s1) from entry-point "Correlator" > then > retract($s2); > System.out.println(" ********* Deleting Fact From WM"); > end > > > rule "SnortRule0" > salience 0 > dialect "mvel" > when > $s1 : Snort( this.sig_name != "(portscan) Open Port") from > entry-point "Correlator" > then > System.out.println("********* Snort Alert 0!!" + $s1.getData()); > end > > As you can see, I'm trying to correlate snort events with drools. > > With this scenario, the only rule that is firing is "SnortRule0" > > 2009/7/21 Edson Tirelli <tire...@post.com> > >> >> Your rule is wrong, as you are defining 3 patterns and the second >> pattern is looking for a fact in the main entry point, not your defined >> "MyEntryPoint". >> Fix it doing: >> >> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after >> [0m,5m] $s1) from entry-point "MyEntryPoint" >> >> []s >> Edson >> >> 2009/7/21 nestabur <nesta...@gmail.com> >> >> >>> Hi all, >>> >>> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :( >>> >>> The rule is: >>> =============== >>> rule "RetractOlderFacts" >>> dialect "mvel" >>> when >>> $s1 : MyModel( name != "aaa") from entry-point >>> "MyEntryPoint" >>> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1) >>> and MyModel ( >>> this after [0m,5m] $s1) from entry-point "MyEntryPoint" >>> then >>> retract($s2); >>> System.out.println(" ********* Retracting from WM"); >>> end >>> =============== >>> >>> The scenario is: >>> "After receiving a fact "MyModel" wich name != "aaa", if arrives another >>> with same ip and different id after a period between 0 and 5 minutes the >>> rule have to retract the last one and keep the first fact (the older >>> one)" >>> >>> After receiving hundred and hundred of facts via JMS that may match with >>> the >>> rule condition, the rule never throws! >>> >>> is the rule correct? >>> could the problem be at the rule engine implementation? >>> >>> Could anyone hel me please? >>> >>> Thanks in advance, >>> >>> nestabur >>> -- >>> View this message in context: >>> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html >>> Sent from the drools - user mailing list archive at Nabble.com. >>> >>> _______________________________________________ >>> rules-users mailing list >>> rules-users@lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/rules-users >>> >> >> >> _______________________________________________ >> rules-users mailing list >> rules-users@lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/rules-users >> >> >
_______________________________________________ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users