hi,
and sorry for not being able to answer yesterday :(
There is an easy explanation to the issue. The %alnum variables (which
are created by SEC actions) can only be used in action lists, while the
$num and %num match variables (created by patterns) work across
entire rule definition. However, %alnum variables have the advantage
of being visible across all rules. There are several reasons for this --
some %alnum variables might not have a value yet when certain parts of
the rule are processed (most notably %s); also, some values might not
make sense at all (like function pointers). It would also make pattern
handling much more complex.
For the rules you are having, I actually see no reason to employ
%alnum variables, since regular match variables are enough for
handling the case. I made a couple of very minor corrections to the
rules (hopefully I was able to understand the true meaning of the rules
properly). I only removed the setting of %h variable from Rule1, and
also changed the 'context' field of Rule3 (previously this field
contained a regular expression, but one can only use Boolean expressions
in this field):
type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(CRITICAL);(HARD|SOFT);(\d).+$
context=!$1-MMSD-$2-$3
desc=Fault-event:
action=create $1-MMSD-$2-$3; \
write /usr/local/etc/SEC_Log_Pipe [%u] %s %h-MMSD-$2-CRITICAL
is $3; \
event $1-MMSD-Service-Problem;
type=single
ptype=regexp
pattern=^(\w+)-MMSD-Service-Problem
context=$1-MMSD-mm_error-CRITICAL $1-MMSD-mq_error-CRITICAL
$1-MMSD-ms_error-CRITICAL
desc=Problem Detected:
action= write - [%t] %s; \
write /usr/local/etc/SEC_Log_Pipe [%u] %s %h-MMSD-Service;
type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(OK);(HARD|SOFT);(\d).+$
desc=OK event received: removing context $1-MMSD-$2-$3
context=$1-MMSD-$2-CRITICAL
action=write %s; \
delete $1-MMSD-$2-CRITICAL
kind regards,
risto
On 11/05/2010 12:28 PM, M Haris Farooque wrote:
hi all,
*Sorry I made a Typo mistake in my previous mail.*
I am having a slight problem may be some of you can just take a look
and figure it out.
I am assigning a some value to a variable using eval in Rule 1. and
then using the same value all over in other rule set.
but i m not sure why other rules is not able to recognize the pattern.
following are the rules;
rule 1:
type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*CRITICAL*);(HARD|SOFT);(\d).+$
context=!$1-MMSD-$2-$3
desc=Fault-event:
action=create $1-MMSD-$2-$3; \
*eval %h ( $h = $1); \*
write /usr/local/etc/SEC_Log_Pipe [%u] %s %h-MMSD-$2-CRITICAL
is $3; \
event *%h-MMSD-Service-Problem*;
### $1 = hostname, $2=fault, $3=flag (i.e. CRITICAL)
rule 2:
type=single
ptype=substr
pattern=*%h-MMSD-Service-Problem*
context=*%h-*MMSD-mm_error-CRITICAL *%h*-MMSD-mq_error-CRITICAL
*%h*-MMSD-ms_error-CRITICAL
desc=Problem Detected:
action= write - [%t] %s; \
write /usr/local/etc/SEC_Log_Pipe [%u] %s *%h*-MMSD-Service;
rule 3:
--
type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*OK*);(HARD|SOFT);(\d).+$
desc=OK event received: removing context %h-MMSD-$2-$3
context=*%h*-MMSD-$2-CRITICAL
action=write %s; \
delete %h-MMSD-$2-CRITICAL;
###
for given sample data it only matches Rule 1 but never matches Rule 2
or Rule 3.
Sample Input Data:
-
[1284336000] CURRENT SERVICE STATE:
cmtest01;mm_eror;CRITICAL;HARD;1;Agent Service
[1284336000] CURRENT SERVICE STATE:
cmtest01;mq_eror;CRITICAL;HARD;1;Agent Service
[1284336000] CURRENT SERVICE STATE:
cmtest01;ms_eror;CRITICAL;HARD;1;Agent Service
# after this all contexts has been created and Rule 2
should be applied, but this is not happening here
[1284336000] CURRENT SERVICE STATE: cmtest01;mm_eror;OK;HARD;1;Agent
Service
[1284336000] CURRENT SERVICE STATE: cmtest01;mq_eror;OK;HARD;1;Agent
Service
[1284336000] CURRENT SERVICE STATE: cmtest01;ms_eror;OK;HARD;1;Agent
Service
# rule 3 should execute, but again eventually this is
not happeining in this case
note: %h is cmtest01 (hostname)
if instead of using %h, I place 'cmtest01' then everthing works fine.
can anybody suggest what is wrong here.
thanks and regards
--
Kind Reagrds/Mit freundlichen Grüßen
M Haris Farooque
--
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book Blueprint to a
Billion shares his insights and actions to help propel your
business during the next growth cycle. Listen Now!