In message <[EMAIL PROTECTED]>,
"Chris Zimmerman" writes:
>I must be missing something simple...
If so I'm missing it too.
>I'm trying to setup a means to create a context of unknown log entries
>where the first message creates the context, it gets added to the
>context, and then any other messages that are processed are also
>added. When the context expires (I have it set REALLY small for
>testing purposes), the contents are then emailed out. The code below
>works but only with the first message that arrives. Once the context
>expires it won't get recreated by the first message to come in after
>expiration. What am I missing here?
[ rule 1 ]
>type=single
>desc=Tag unknown events
>ptype=regexp
>pattern=^UNDUP:(\w+\s+\d+\s+\d+:\d+:\d+) (.+)
>action=event 0 UNKNOWN:$1 $2
[ rule 2 ]
>type=single
>desc=$0
>ptype=regexp
>context=UNKNOWN_REPORT
>pattern=^UNKNOWN
>action=add UNKNOWN_REPORT
[ rule 3 ]
>type=single
>desc=$0
>continue=takenext
>ptype=regexp
>pattern=^UNKNOWN
>action=create UNKNOWN_REPORT 30 report UNKNOWN_REPORT /usr/bin/mutt -s
>"SEC: Unknown log entries report" [EMAIL PROTECTED]
[ rule 4 ]
>type=single
>desc=$0
>ptype=regexp
>pattern=^UNKNOWN
>action=add UNKNOWN_REPORT
I'm not seeing anything obvious. What does the log file report as the
sequence of events? Also try using
kill -USR1 <sec pid>
to dump the internal state of SEC at various points. I would expect
(when rule 4 is combined into rule 3 as I mention below):
dump after startup
there should be no defined UNKNOWN_REPORT
the counts for each rule should be 0
dump after sending the first unknown event
the context UNKNOWN_REPORT should have the event
rule 1, 3 should both have a count of 1
dump after sending the second unknown event
the context UNKNOWN_REPORT should have the event
rule 1, 2, 3 should all have a count of 1
dump after the context times out
there should be no defined UNKNOWN_REPORT
rule 1, 2, 3 should all have a count of 1
dump after sending a third unknown event
the context UNKNOWN_REPORT should have the event
rule 1, 3 should both have a count of 2
dump after sending a fourth unknown event
the context UNKNOWN_REPORT should have the event
rule 1, 2, 3 should all have a count of 2
dump after another context timeout
there should be no defined UNKNOWN_REPORT
rule 1, 2, 3 should all have a count of 1
Comparing what you get against the list above may lead you to the
solution.
Also as a point of style/performance, I would delete the 4th rule and
make the third rule:
type=single
desc=$0
ptype=regexp
pattern=^UNKNOWN
action=create UNKNOWN_REPORT 30 report UNKNOWN_REPORT \
/usr/bin/mutt -s "SEC: Unknown log entries report" [EMAIL PROTECTED];\
add $0
context= !UNKNOWN_REPORT
so you do the create and add of UNKNOWN_REPORT in the same rule and
make sure the create won't run if UNKNOWN_REPORT is not defined.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
