So you would like to react on the *second* DHCPDISCOVER event, where the
network is the same as for the previous event, but MAC is different?
If that's the case, here are the rulesets for sample A and B events.
The first solutions employs one Pair rule. Since regular expressions are
identical in both parts of the rule, the first regular expression will
grab all events and nothing gets passed to the second expression. In
order to prevent this from happening, we have to use a context called
TRACKING_$2 which will be created when the first event appears. For
example, if event blah A blah B appears, context TRACKING_B is
created. The presence of the context will switch off the first regular
expression for 60 seconds if any subsequent event blah * blah B
arrives. After example event blah A blah B has arrived, we will also
create an alias HAVE_SEEN_B_WITH_A which indicates that we have seen B
with A (creating an alias instead of another context is useful, since
TRACKING_B and HAVE_SEEN_B_WITH_A are supposed to exist exactly at the
same time).
Suppose now that second instance of blah * blah B event comes in. Note
that the first regular expression is unable to match due to the presence
of TRACKING_B. However, the second regular expression matches only if *
is not A (since the presence of HAVE_SEEN_B_WITH_A prevents the match
from occurring). For instance, if blah C blah B comes in, it matches,
since HAVE_SEEN_B_WITH_C does not exist, and thus a string we have
observed B without A (instead A there was C) gets written to standard
output:
type=Pair
ptype=regexp
pattern=blah (.+) blah (.+)
context=!TRACKING_$2
desc=tracking second instance of $2
action=create TRACKING_$2 60; alias TRACKING_$2 HAVE_SEEN_$2_WITH_$1
ptype2=regexp
pattern2=blah (.+) blah $2
context2=!HAVE_SEEN_%2_WITH_$1
desc2=we have observed %2 without %1 (instead %1 there was $1)
action2=write - %s; delete TRACKING_%2
window=60
(Note that the lifetime of the Pair operation and the contexts is 60
seconds.)
If you would like to achieve the same effect with Single rules, you
could do something like:
type=Single
ptype=regexp
pattern=blah (.+) blah (.+)
context=!TRACKING_$2
desc=start tracking second instance of $2 without $1
action=create TRACKING_$2 60; alias TRACKING_$2 HAVE_SEEN_$2_WITH_$1
type=Single
ptype=regexp
pattern=blah (.+) blah (.+)
context=TRACKING_$2 !HAVE_SEEN_$2_WITH_$1
desc=we have observed $2 twice with different companions
action=write - %s; delete TRACKING_$2
It is quite similar to previous Pair rule - you just can't get the name
of first companion of B into the alarm (A, that is). I have to admit I
like the second solution a bit more, since all correlation logic is
presented as boolean expressions, and is thus easier to read.
In your last post, I also noticed that you used ^ for negation inside
the pattern2 field. That will not work unfortunately -- ^ works as a
negation operator only inside square brackets [^...], but this construct
matches *one* character only. If you want to negate a whole string, Perl
regexp negative look-ahead or look-behind might do the trick. I my
example, I haven't used it, but the first solution might be somewhat
simpler with it:
type=Pair
ptype=regexp
pattern=blah (.+) blah (.+)
context=!TRACKING_$2
desc=tracking second instance of $2
action=create TRACKING_$2 60
ptype2=regexp
pattern2=blah ((?!$1)\S+) blah $2
desc2=we have observed %2 without %1 (instead %1 there was $1)
action2=write - %s; delete TRACKING_%2
window=60
Note that I haven't tested it fully, but after a quick test it seemed to
work.
hope this helps and is not too confusing :)
risto
On 10/01/2010 07:25 PM, Mike Rykowski wrote:
What I want to do is ignore subsequent messages if the mac and network
are the same. But if a subsequent message has the same network but
different mac then send email.
So it seems I'd like to see your example solutions :)
On Fri, 2010-10-01 at 19:17 +0300, Risto Vaarandi wrote:
hi Mike,
I have almost completed two possible example solutions to the problem,
but after seeing your e-mail I have an inkling I've got the problem
statement wrong :(
So far I had an impression that you would like to do some clever
pairwise correlation for events that are matched by (almost) identical
regular expressions. (Just a note: if the expressions are almost the
same, it is actually a bit tricky with Pair* rules.)
However, from the example I've got an understanding that you would
simply like to suppress duplicate alarms for within a given time window,
provided that *both* the MAC address and the network are the same. Is my
understanding correct?
If so, you could try the following rule:
type=SingleWithSuppress
ptype=RegExp
pattern=\S+\s+\S+\s+\S+\s+\S+ dhcpd: DHCPDISCOVER from (\S+) via \S+
network (\S+): no free leases
desc=$2 no free leases for MAC $1
action=send email
window=120
If I didn't get it quite right, I'll post my two example solutions :)
