Re: [Simple-evcorr-users] Count the number of event filtering by parameters.
Ludovic,
there are several ways to address the problem, but it depends what
exactly you would like to do.
Do you want to keep track of different user names, and report current
counters for all users once in X minutes, or do you rather want to send
a report for each user after the user has been inactive for X minutes?
For the latter case, you might want to try EventGroup rule with
following parameters:
type=EventGroup
ptype=regexp
pattern=ERROR.*User (\S+) attempted to authenticate
count=lcall %ret $1 - ( sub { ++$ucounts{$_[0]}; } ); \
add USER_$1 $0
desc=User $1 attempted to authenticate
action=none
multact=yes
end=lcall %ret $1 - ( sub { return delete $ucounts{$_[0]}; } ); \
report USER_$1 mail -s 'User $1 %ret events seen' root; \
delete USER_$1
window=20
Note that with this ruleset, the counters are implemented not as SEC
variables, but as a Perl hash %ucounts. The 'multact' field of the rule
has to be set to yes which forces the event correlation window sliding,
until the last matching event is outside the window (in the case of this
example this means that 20 seconds have elapsed from the last activity
from a given user).
kind regards,
risto
On 03/29/2011 11:22 AM, Ludovic Hutin wrote:
Hi again,
After reading this documentation,
http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
It's said that variable are global. I would like to have a context variable.
Doing something like that seems impossible : assign %count_$1 1
The idea is to count the occurency of a pattern and send a report every
x hours.
type=single
continue=takenext
ptype=regexp
pattern=ERROR.*User “(\S+)” attempted to authenticate
context = !NB_APPARITION_$1
desc=First appartion for user $1
action= create NB_APPARITION_$1 0; assign %count 1
type=single
continue=takenext
ptype=regexp
pattern=ERROR.*User “(\S+)” attempted to authenticate
context=NB_APPARITION_$1
desc=%count apparition for user $1
action=eval %count ( %count + 1) ; add NB_APPARITION_$1 0; set
NB_APPARITION_$1 30 \
(report NB_APPARITION_$1 /bin/echo 'Login : $1 Nb - connexion : %count'
result.txt)
Best Regards,
Ludovic.
Le 28/03/2011 16:42, Ludovic Hutin a écrit :
Hello,
I am new with the extraordinary tools SEC
I would like to do a thinks like that, in my log file i got that
ERROR User toto something wrong ...
ERROR User tita something wrong ...
ERROR User tutu something wrong ...
ERROR User tita something wrong ...
ERROR User toto something wrong ...
ERROR User tita something wrong ...
I would like to count the number of occurency for each user and
send a report atfer X minute we don't see the occurency of the user.
type=single
continue=takenext
ptype=regexp
pattern=ERROR.*User (\S+) something wrong
context = !NB_APPARITION_$1
desc=First apparition for user $1
action= create NB_APPARITION_$1 0; assign %nbapparition 1
type=single
continue=takenext
ptype=regexp
pattern=ERROR.*User (\S+) something wrong
context=NB_APPARITION_$1
desc=%nbapparition error for user $1
action=eval %nbapparition ( %nbapparition + 1) ; add
NB_APPARITION_$1 $0; set NB_APPARITION_$1 1800 \
(report NB_APPARITION_$1 /bin/echo 'Login : $1 Nb - connexion :
%nbapparition' result.txt)
I dunno what's wrong, if someone got an idea.
Thanks in advance for helping.
Ludovic.
--
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
--
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Re: [Simple-evcorr-users] Count the number of event filtering by parameters.
Hi,
The tools can do so many things, we are not clear what we would
like to do.
We will doing, for begining, some easy case.
Thanks for your code that work perfectly.
Best regards,
Ludovic.
Le 29/03/2011 11:40, Risto Vaarandi a écrit :
Ludovic,
there are several ways to address the problem, but it depends what
exactly you would like to do.
Do you want to keep track of different user names, and report current
counters for all users once in X minutes, or do you rather want to send
a report for each user after the user has been inactive for X minutes?
For the latter case, you might want to try EventGroup rule with
following parameters:
type=EventGroup
ptype=regexp
pattern=ERROR.*User (\S+) attempted to authenticate
count=lcall %ret $1 - ( sub { ++$ucounts{$_[0]}; } ); \
add USER_$1 $0
desc=User $1 attempted to authenticate
action=none
multact=yes
end=lcall %ret $1 - ( sub { return delete $ucounts{$_[0]}; } ); \
report USER_$1 mail -s 'User $1 %ret events seen' root; \
delete USER_$1
window=20
Note that with this ruleset, the counters are implemented not as SEC
variables, but as a Perl hash %ucounts. The 'multact' field of the rule
has to be set to yes which forces the event correlation window sliding,
until the last matching event is outside the window (in the case of this
example this means that 20 seconds have elapsed from the last activity
from a given user).
kind regards,
risto
On 03/29/2011 11:22 AM, Ludovic Hutin wrote:
Hi again,
After reading this documentation,
http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
It's said that variable are global. I would like to have a context variable.
Doing something like that seems impossible : assign %count_$1 1
The idea is to count the occurency of a pattern and send a report every
x hours.
type=single
continue=takenext
ptype=regexp
pattern=ERROR.*User “(\S+)” attempted to authenticate
context = !NB_APPARITION_$1
desc=First appartion for user $1
action= create NB_APPARITION_$1 0; assign %count 1
type=single
continue=takenext
ptype=regexp
pattern=ERROR.*User “(\S+)” attempted to authenticate
context=NB_APPARITION_$1
desc=%count apparition for user $1
action=eval %count ( %count + 1) ; add NB_APPARITION_$1 0; set
NB_APPARITION_$1 30 \
(report NB_APPARITION_$1 /bin/echo 'Login : $1 Nb - connexion : %count'
result.txt)
Best Regards,
Ludovic.
Le 28/03/2011 16:42, Ludovic Hutin a écrit :
Hello,
I am new with the extraordinary tools SEC
I would like to do a thinks like that, in my log file i got that
ERROR User toto something wrong ...
ERROR User tita something wrong ...
ERROR User tutu something wrong ...
ERROR User tita something wrong ...
ERROR User toto something wrong ...
ERROR User tita something wrong ...
I would like to count the number of occurency for each user and
send a report atfer X minute we don't see the occurency of the user.
type=single
continue=takenext
ptype=regexp
pattern=ERROR.*User (\S+) something wrong
context = !NB_APPARITION_$1
desc=First apparition for user $1
action= create NB_APPARITION_$1 0; assign %nbapparition 1
type=single
continue=takenext
ptype=regexp
pattern=ERROR.*User (\S+) something wrong
context=NB_APPARITION_$1
desc=%nbapparition error for user $1
action=eval %nbapparition ( %nbapparition + 1) ; add
NB_APPARITION_$1 $0; set NB_APPARITION_$1 1800 \
(report NB_APPARITION_$1 /bin/echo 'Login : $1 Nb - connexion :
%nbapparition'result.txt)
I dunno what's wrong, if someone got an idea.
Thanks in advance for helping.
Ludovic.
--
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
--
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
