Re: [Simple-evcorr-users] Suggestions for handling multiple streams/events - disabling alerting based on source, etc.
Here is the conf I am testing and some of the output. I realize in the perfunc we have $0 and $1, but in the actions do these not become $1 and $2? I suppoe I am just wondering how I can manipulate the value for the input stream variabe in my actions to make it easier to read - ie rather than the full path and name of the minotired logfile, just a portion of the name that is a unique identifier.type=single ptype=perlfunc pattern=sub { if ($_[0] =~ /.*(SRVE0255E).*/) { \ return ($1, $_[1] =~ m/.*\/(.*)\.SystemOut\.log$/); } else { return 0; } } context=!IGNORE_SRVE0255E_FOR_FILE_$2 desc=$1:$2 action="" Error reported by Application: %app on Layer: %layer: $1 caught in: $2; shellcmd %email $1 %layer %app $2 %mailto; create IGNORE_SRVE0255E_FOR_FILE_$2 60 logonly IGNORE_SRVE0255E_FOR_FILE_$2 has Expired!Mon Apr 18 14:47:20 2011: Error reported by Application: WEC on Layer: PERF: PQWCSP5 caught in: PQWCSP5 Mon Apr 18 14:47:20 2011: Executing shell command '/opt/monty/sec/emailException.sh PQWCSP5 PERF WEC PQWCSP5 john_gras...@johnlewis.co.uk' Mon Apr 18 14:47:20 2011: Child 30939 created for command '/opt/monty/sec/emailException.sh PQWCSP5 PERF WEC PQWCSP5 john_gras...@johnlewis.co.uk' Mon Apr 18 14:47:20 2011: Creating context 'IGNORE_SRVE0255E_FOR_FILE_PQWCSP5' Mon Apr 18 14:48:21 2011: Deleting stale context 'IGNORE_SRVE0255E_FOR_FILE_PQWCSP5' Mon Apr 18 14:48:21 2011: IGNORE_SRVE0255E_FOR_FILE_PQWCSP5 has Expired! Mon Apr 18 14:48:21 2011: Stale context 'IGNORE_SRVE0255E_FOR_FILE_PQWCSP5' deleted Whati happens is that using $1 and $2 in the action list, they both become what I think of as $2 (which is the manipulated $1 in the perlfunc.If I change the conf to be like this and use $0 and $2 in the action I get the entire log message...action="" Error reported by Application: %app on Layer: %layer: $0 caught in: $2; shellcmd %email $0 %layer %app $2 %mailto; create IGNORE_SRVE0255E_FOR_FILE_$2 60 logonly IGNORE_SRVE0255E_FOR_FILE_$2 has Expired!So I am really changing the log line value in the function to only return the SRVE0255E in $1 and trying to change the log source $2 to only returns a portion of the name. It sort of works, but I seem to lose the value of the manipulkated log message if I try to manipulate the value of the log source.I have everything else I wanted to rest working fine, short lived context blocking of further alerts works just great...my email script is being triggered perfectly, its just his now ;)Thanks for your help! -Risto Vaarandi risto.vaara...@gmail.com wrote: -To: John Grasett john.gras...@atech.comFrom: Risto Vaarandi risto.vaara...@gmail.comDate: 04/17/2011 10:38AMCc: simple-evcorr-users simple-evcorr-users@lists.sourceforge.netSubject: Re: [Simple-evcorr-users] Suggestions for handling multiple streams/events - disabling alerting based on source, etc.2011/4/17 Risto Vaarandi risto.vaara...@gmail.com: 2011/4/15 John Grasett john.gras...@atech.com: Yes, that sounds perfect. I could also then do this to not repeat on the same event in the same log. type=single ptype=perlfunc pattern=sub { if ($_[0] =~ /.*(SRVE0255E).*/) { \ return ($1, $_[1]); } else { return 0; } } context=!IGNORE_SRVE0255E_FOR_FILE_$2 desc=$0 action="" Error reported by Application: %app on Layer: %layer: $1 caught in: $2; create IGNORE_SRVE0255E_FOR_FILE_$2 One other thing I am triyng to do with no luck - change $2 to be only part of the log path/filename: type=single ptype=perlfunc pattern=sub { if ($_[0] =~ /.*(SRVE0255E).*/) { \ return ($1, $_[1], $_[2] =~ m/.*\/(.*)\.SystemOut\.log$/); } else { return 0; } } desc=$0 action="" Error reported by Application: %app on Layer: %layer: $1 caught in: $2 or I try return ($1, $_[1] =~ m/.*\/(.*)\.SystemOut\.log$/); } else { return 0; } } But then I get bad output! John, PerlFunc pattern function accepts two input parameters ($_[0] and $_[1]), thus $_[2] is undefined for this pattern (PerlFunc2, PerlFunc3, PerlFunc4 etc. take 2,4,6,... parameters).sorry for a typo -- PerlFunc takes 2 input parameters (one input lineand one source name), PerlFunc2 takes 4 parameters (two input linesand two source names), PerlFunc3 takes 6, etc.regards,risto -- Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev___ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Re: [Simple-evcorr-users] Suggestions for handling multiple streams/events - disabling alerting based on source, etc.
2011/4/15 John Grasett john.gras...@atech.com: Yes, that sounds perfect. I could also then do this to not repeat on the same event in the same log. type=single ptype=perlfunc pattern=sub { if ($_[0] =~ /.*(SRVE0255E).*/) { \ return ($1, $_[1]); } else { return 0; } } context=!IGNORE_SRVE0255E_FOR_FILE_$2 desc=$0 action=logonly Error reported by Application: %app on Layer: %layer: $1 caught in: $2; create IGNORE_SRVE0255E_FOR_FILE_$2 One other thing I am triyng to do with no luck - change $2 to be only part of the log path/filename: type=single ptype=perlfunc pattern=sub { if ($_[0] =~ /.*(SRVE0255E).*/) { \ return ($1, $_[1], $_[2] =~ m/.*\/(.*)\.SystemOut\.log$/); } else { return 0; } } desc=$0 action=logonly Error reported by Application: %app on Layer: %layer: $1 caught in: $2 or I try return ($1, $_[1] =~ m/.*\/(.*)\.SystemOut\.log$/); } else { return 0; } } But then I get bad output! John, PerlFunc pattern function accepts two input parameters ($_[0] and $_[1]), thus $_[2] is undefined for this pattern (PerlFunc2, PerlFunc3, PerlFunc4 etc. take 2,4,6,... parameters). I would not recommend using $_[1] =~ m/.*\/(.*)\.SystemOut\.log$/ inside a return list from the function, since this sets $1 to the match value from m/.*\/(.*)\.SystemOut\.log$/, overwriting a previous value from /.*(SRVE0255E).*/. You can tackle this issue by saving $1 first into a separate variable, and then evaluating m/.*\/(.*)\.SystemOut\.log$ against the input file name. hope this helps, risto -Risto Vaarandi risto.vaara...@gmail.com wrote: - To: John Grasett john.gras...@atech.com From: Risto Vaarandi risto.vaara...@gmail.com Date: 04/15/2011 12:43PM Cc: simple-evcorr-users@lists.sourceforge.net Subject: Re: [Simple-evcorr-users] Suggestions for handling multiple streams/events - disabling alerting based on source, etc. hi John, I would recommend to use contexts, once you have seen a match from particular rules that should disable matches for several other rules. The contexts are visible across all rules and it is easy to check their presence or absence with Boolean expressions. For example, for disabling input coming from certain log files, you could employ the following scheme: type=single ptype=perlfunc pattern=sub { if ($_[0] =~ /.*(SRVE0255E).*/) { \ return ($1, $_[1]); } else { return 0; } } desc=$0 action=logonly Error reported by Application: %app on Layer: %layer: $1 caught in: $2; create IGNORE_EVENTS_FOR_FILE_$2 type=single ptype=perlfunc pattern=sub { if ($_[0] =~ /.*(SRVA0255A).*/) { \ return ($1, $_[1]); } else { return 0; } } context=!IGNORE_EVENTS_FOR_FILE_$2 desc=$0 action=logonly Error2 reported by Application: %app on Layer: %layer: $1 caught in: $2 The first rule creates a context if SRVE0255E event has been seen for an input file, and if then the SRVA0255A event will come in from the same log file, no alert would be produced. A side note -- since the users like to have an input source file name to be available through a match variable, and the named match variables added into the new 2.6 version allow for easily adding new reserved variables, it is likely that the next minor version of SEC will include support for input file name match variable. In that case, you wouldn't be required to use PerlFunc anymore only for getting input source name. kind regards, risto 2011/4/14 John Grasett john.gras...@atech.com: I am just getting started here, but I know we will be able to get what we want, I just need a little push in the right direction for implementing this. So far I have this simple conf: # Set variables on SEC startup or soft restarts. These variables can be used # in actions and contexts. They are not usable in patterns. type = single desc = set variables and things on startup or restart of sec (core) ptype = regexp pattern = SEC_(STARTUP|RESTART|SOFTRESTART) context = [ SEC_INTERNAL_EVENT ] action=assign %app WEC; assign %layer PERF # test rule to match on error generated by webshere for a bad or missing virtual host or webgroup # we use a perlfunc as we need to get the name of the input stream (in this case our logfile) - this way we can run one instance against # all the servers for an application/layer type=single ptype=perlfunc pattern=sub { if ($_[0] =~ /.*(SRVE0255E).*/) { \ return ($1, $_[1]); } else { return 0; } } desc=$0 action=logonly Error reported by Application: %app on Layer: %layer: $1 caught in: $2 which does what it should, logs on catching the SRVE0255E code with the variables and the name of the logfile it was caught in: Thu Apr 14 12:37:28 2011: Reading configuration from /opt/monty/sec/conf/WEC_PERF.conf Thu Apr 14 12:37:28 2011: 2 rules loaded from /opt/monty/sec/conf/WEC_PERF.conf Thu Apr 14 12:37:28 2011: Creating SEC internal context 'SEC_INTERNAL_EVENT' Thu Apr 14 12:37:28 2011: Creating SEC internal event 'SEC_RESTART' Thu Apr 14 12:37:28