I using similar approach as David mention. I processing syslog messages from
network devices (various Vendors like Arista, Cisco, Juniper etc.).
We have about 7k patterns defined for match. As SEC cannot handle such regexp
volume, I using syslog-ng PatternDB for pattern matching, classification
Hi Risto,
Thank you for your explanation. All works well for me now.
I using SEC v 2.7.12 therefore I see that compilation error with lcall and :>
operator.
Thank you,
Dusan
Od: Risto Vaarandi
Odoslané: streda 19. februára 2020 14:52
Komu: Dusan Sovic
Kó
Hi SEC users,
I want to create / introduce new match variable in my rules.
I search forum posts and found this:
"Once you have cached match results, they become visible across all rules
and you can modify them. In order to do this, you have to use the :>
context expression operator for getting a
<--- second event that was written to
standard output
Assigning '2018-11-11T00:00:03+00:00 Event1' to variable '%lastline'
Hope this helps,
risto
Kontakt Dusan Sovic (mailto:dusan.so...@hotmail.sk>>)
kirjutas kuupäeval N, 8. november 2018 kell 16:11:
Hello SEC Users,
I using SingleWithSupp
Hello SEC Users,
I using SingleWithSuppress rule to process timestamped input events. I want to
take action after 2nd event occurrence within 60 seconds.
Problem what I have is that after second event match, action is taken and event
($0) is written to the output but it use timestamp of first
Hi Risto,
Thank you for documentation update. Look good.
Dusan
Od: Risto Vaarandi
Odoslané: nedeľa, 14. októbra 2018 13:22
Komu: dusan.so...@hotmail.sk
Kópia: simple-evcorr-users@lists.sourceforge.net
Predmet: Re: [Simple-evcorr-users] Suppress rule and continue
Hi Risto,
I think it will be beneficial to highlight this fact in Rule Types -> Suppress
paragraph that other “techniques” have to be used to achieve suppression across
multiple configuration files.
I like idea to add this as separate FAQ entry.
Thank you,
Dusan
Hi Risto,
Thank you very much for your suggestions and explanation.
Must agree with your arguments that introducing "continue" field option support
into "Suppress" rule will introduce some confusions.
I have never thought that this type of suppression logic can be achieved by
"Jump" rule.
Hello SEC Users,
Base on SEC documentation *Suppress* rules doesn’t support “continue” field
like other rules.
My understanding is that if suppress rule match event the search for matching
rules ends in the *current* configuration file.
Let’s consider this simple example with two config
Hi Risto,
This helps me a lot!
Thank you very much for your help.
Dusan
Od: Risto Vaarandi <risto.vaara...@gmail.com>
Odoslané: 20. apríla 2017 15:52:56
Komu: Dusan Sovic
Kópia: simple-evcorr-users@lists.sourceforge.net
Predmet: Re: [Simple-evcorr
Hi Risto,
This is exactly what I have looking for!
Thank you,
Dusan
Od: Risto Vaarandi <risto.vaara...@gmail.com>
Odoslané: 15. januára 2017 20:54
Komu: Dusan Sovic
Kópia: simple-evcorr-users@lists.sourceforge.net
Predmet: Re: [Simple-evcorr-users
Dear mailing list users,
In one of my rule I need to conditionally take action if given correlation
operation exist. From SEC man page, I can see that under rule *action* I can
use actions ‘reset’, ‘getwpos’ and ‘setwpos’ to work with correlation
operation(s).
I learn how to use ‘reset’
10:51
Komu: Dusan Sovic
Kópia: simple-evcorr-users@lists.sourceforge.net
Predmet: Re: [Simple-evcorr-users] Content of pattern match cache after
synthetic event injection
hi Dusan,
you have asked an excellent question. Behavior you are seeing is
actually something expected, since pattern match cachi
Hello,
In my SEC rules I using pattern match cache. I would like to know is the
pattern match cache content after injection of synthetics event. Is there any
possibility to clear record from pattern match cache on demand?
Consider the following SEC rule config (t.sec) :
14 matches
Mail list logo
