subject:"Re\: \[Simple\-evcorr\-users\] problem facing with internal Variable scope"

Re: [Simple-evcorr-users] problem facing with internal Variable scope

2010-11-05 Thread M Haris Farooque




hi all,
*Sorry I made a Typo mistake in my previous mail.*

I am having a slight problem may be some of you can just take a look 
and figure it out.
I am assigning a some value to a variable using eval in Rule 1. and 
then using the same value all over in other rule set.


but i m not sure why other rules is not able to recognize the pattern.
following are the rules;

rule 1:


type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*CRITICAL*);(HARD|SOFT);(\d).+$
context=!$1-MMSD-$2-$3
desc=Fault-event:
action=create $1-MMSD-$2-$3; \
*eval %h ( $h = $1); \*
write /usr/local/etc/SEC_Log_Pipe [%u] %s %h-MMSD-$2-CRITICAL 
is $3; \

event *%h-MMSD-Service-Problem*;

### $1 = hostname, $2=fault, $3=flag (i.e. CRITICAL)

rule 2:

type=single
ptype=substr
pattern=*%h-MMSD-Service-Problem*
context=*%h-*MMSD-mm_error-CRITICAL  *%h*-MMSD-mq_error-CRITICAL  
*%h*-MMSD-ms_error-CRITICAL

desc=Problem Detected:
action= write - [%t] %s; \
write /usr/local/etc/SEC_Log_Pipe [%u] %s *%h*-MMSD-Service;

rule 3:
--
type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*OK*);(HARD|SOFT);(\d).+$
desc=OK event received: removing context %h-MMSD-$2-$3
context=*%h*-MMSD-$2-CRITICAL
action=write %s; \
delete %h-MMSD-$2-CRITICAL;
###

for given sample data it only matches Rule 1 but never matches Rule 2 
or Rule 3.


Sample Input Data:
-
[1284336000] CURRENT SERVICE STATE: 
cmtest01;mm_eror;CRITICAL;HARD;1;Agent Service
[1284336000] CURRENT SERVICE STATE: 
cmtest01;mq_eror;CRITICAL;HARD;1;Agent Service
[1284336000] CURRENT SERVICE STATE: 
cmtest01;ms_eror;CRITICAL;HARD;1;Agent Service
# after this all contexts has been created and Rule 2 
should be applied, but this is not happening here


[1284336000] CURRENT SERVICE STATE: cmtest01;mm_eror;OK;HARD;1;Agent 
Service
[1284336000] CURRENT SERVICE STATE: cmtest01;mq_eror;OK;HARD;1;Agent 
Service
[1284336000] CURRENT SERVICE STATE: cmtest01;ms_eror;OK;HARD;1;Agent 
Service
# rule 3 should execute, but again eventually this is 
not happeining in this case



note: %h is cmtest01 (hostname)


if instead of using %h, I place 'cmtest01' then everthing works fine.

can anybody suggest what is wrong here.

thanks and regards
--

Kind Reagrds/Mit freundlichen Grüßen

M Haris Farooque


--
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book Blueprint to a
Billion shares his insights and actions to help propel your
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev


___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Ok I managed to fixed it but I am still not sure with SEC behaviour in 
treating internal Variable. In my Rule 2 and Rule 3, i made one change 
and it starts working as it should be. the changes I made are 
highlighted in '*GREEN*'


Rule 2:
-

type=single
ptype=*regexp*
pattern=*^(\w+)-MMSD-Service-Problem*
context=*$1-*MMSD-mm_error-CRITICAL  **$1**-MMSD-mq_error-CRITICAL  
*$1*-MMSD-ms_error-CRITICAL

desc=Problem Detected:
action= write - [%t] %s; \
write /usr/local/etc/SEC_Log_Pipe [%u] %s *%h*-MMSD-Service;

rule 3:
--
type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*OK*);(HARD|SOFT);(\d).+$
desc=OK event received: removing context $1-MMSD-$2-$3
context=**^(\w+)**-MMSD-$2-CRITICAL
action=write %s; \
delete %h-MMSD-$2-CRITICAL;  ##  Delete Context with %h. its 
Working but ???



If the scope of the Variable is extened across different rules and 
across different files then why here it is not able to retrieve the 
value of '%h'. it is surprising that, In Rule 3, I am still able to 
delete the context by using %h.

--

Kind Reagrds/Mit freundlichen Grüßen

M Haris Farooque

--
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book Blueprint to a 
Billion shares his insights and actions to help propel your 
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] problem facing with internal Variable scope

2010-11-05 Thread Risto Vaarandi

hi,
and sorry for not being able to answer yesterday :(
There is an easy explanation to the issue. The %alnum variables (which 
are created by SEC actions) can only be used in action lists, while the 
$num and %num match variables (created by patterns) work across 
entire rule definition. However, %alnum variables have the advantage 
of being visible across all rules. There are several reasons for this -- 
some %alnum variables might not have a value yet when certain parts of 
the rule are processed (most notably %s); also, some values might not 
make sense at all (like function pointers). It would also make pattern 
handling much more complex.

For the rules you are having, I actually see no reason to employ 
%alnum variables, since regular match variables are enough for 
handling the case. I made a couple of very minor corrections to the 
rules (hopefully I was able to understand the true meaning of the rules 
properly). I only removed the setting of %h variable from Rule1, and 
also changed the 'context' field of Rule3 (previously this field 
contained a regular expression, but one can only use Boolean expressions 
in this field):

type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(CRITICAL);(HARD|SOFT);(\d).+$
context=!$1-MMSD-$2-$3
desc=Fault-event:
action=create $1-MMSD-$2-$3; \
 write /usr/local/etc/SEC_Log_Pipe [%u] %s %h-MMSD-$2-CRITICAL 
is $3; \
 event $1-MMSD-Service-Problem;

type=single
ptype=regexp
pattern=^(\w+)-MMSD-Service-Problem
context=$1-MMSD-mm_error-CRITICAL  $1-MMSD-mq_error-CRITICAL  
$1-MMSD-ms_error-CRITICAL
desc=Problem Detected:
action= write - [%t] %s; \
 write /usr/local/etc/SEC_Log_Pipe [%u] %s %h-MMSD-Service;

type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(OK);(HARD|SOFT);(\d).+$
desc=OK event received: removing context $1-MMSD-$2-$3
context=$1-MMSD-$2-CRITICAL
action=write %s; \
delete $1-MMSD-$2-CRITICAL

kind regards,
risto

On 11/05/2010 12:28 PM, M Haris Farooque wrote:

 hi all,
 *Sorry I made a Typo mistake in my previous mail.*

 I am having a slight problem may be some of you can just take a look
 and figure it out.
 I am assigning a some value to a variable using eval in Rule 1. and
 then using the same value all over in other rule set.

 but i m not sure why other rules is not able to recognize the pattern.
 following are the rules;

 rule 1:
 

 type=Single
 ptype=regexp
 pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*CRITICAL*);(HARD|SOFT);(\d).+$
 context=!$1-MMSD-$2-$3
 desc=Fault-event:
 action=create $1-MMSD-$2-$3; \
 *eval %h ( $h = $1); \*
 write /usr/local/etc/SEC_Log_Pipe [%u] %s %h-MMSD-$2-CRITICAL
 is $3; \
 event *%h-MMSD-Service-Problem*;

 ### $1 = hostname, $2=fault, $3=flag (i.e. CRITICAL)

 rule 2:
 
 type=single
 ptype=substr
 pattern=*%h-MMSD-Service-Problem*
 context=*%h-*MMSD-mm_error-CRITICAL  *%h*-MMSD-mq_error-CRITICAL 
 *%h*-MMSD-ms_error-CRITICAL
 desc=Problem Detected:
 action= write - [%t] %s; \
 write /usr/local/etc/SEC_Log_Pipe [%u] %s *%h*-MMSD-Service;

 rule 3:
 --
 type=Single
 ptype=regexp
 pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*OK*);(HARD|SOFT);(\d).+$
 desc=OK event received: removing context %h-MMSD-$2-$3
 context=*%h*-MMSD-$2-CRITICAL
 action=write %s; \
 delete %h-MMSD-$2-CRITICAL;
 ###

 for given sample data it only matches Rule 1 but never matches Rule 2
 or Rule 3.

 Sample Input Data:
 -
 [1284336000] CURRENT SERVICE STATE:
 cmtest01;mm_eror;CRITICAL;HARD;1;Agent Service
 [1284336000] CURRENT SERVICE STATE:
 cmtest01;mq_eror;CRITICAL;HARD;1;Agent Service
 [1284336000] CURRENT SERVICE STATE:
 cmtest01;ms_eror;CRITICAL;HARD;1;Agent Service
 # after this all contexts has been created and Rule 2
 should be applied, but this is not happening here

 [1284336000] CURRENT SERVICE STATE: cmtest01;mm_eror;OK;HARD;1;Agent
 Service
 [1284336000] CURRENT SERVICE STATE: cmtest01;mq_eror;OK;HARD;1;Agent
 Service
 [1284336000] CURRENT SERVICE STATE: cmtest01;ms_eror;OK;HARD;1;Agent
 Service
 # rule 3 should execute, but again eventually this is
 not happeining in this case


 note: %h is cmtest01 (hostname)


 if instead of using %h, I place 'cmtest01' then everthing works fine.

 can anybody suggest what is wrong here.

 thanks and regards
 --

 Kind Reagrds/Mit freundlichen Grüßen

 M Haris Farooque


 --
 The Next 800 Companies to Lead America's Growth: New Video Whitepaper
 David G. Thomson, author of the best-selling book Blueprint to a
 Billion shares his insights and actions to help propel your
 business during the next growth cycle. Listen Now!

Re: [Simple-evcorr-users] problem facing with internal Variable scope

Re: [Simple-evcorr-users] problem facing with internal Variable scope

2 matches

Site Navigation

Mail list logo

Footer information