Thanks! It turns out that it was working after all. My other rules were just filtering more than I thought...
Thanks also for the tip with the !CONTEXT_NAME. I've been reading through various examples and I wondered what that meant! On Wed, Jun 4, 2008 at 11:17 AM, John P. Rouillard <[EMAIL PROTECTED]> wrote: > > In message <[EMAIL PROTECTED]>, > "Chris Zimmerman" writes: > >>I must be missing something simple... > > If so I'm missing it too. > >>I'm trying to setup a means to create a context of unknown log entries >>where the first message creates the context, it gets added to the >>context, and then any other messages that are processed are also >>added. When the context expires (I have it set REALLY small for >>testing purposes), the contents are then emailed out. The code below >>works but only with the first message that arrives. Once the context >>expires it won't get recreated by the first message to come in after >>expiration. What am I missing here? > > [ rule 1 ] >>type=single >>desc=Tag unknown events >>ptype=regexp >>pattern=^UNDUP:(\w+\s+\d+\s+\d+:\d+:\d+) (.+) >>action=event 0 UNKNOWN:$1 $2 > [ rule 2 ] >>type=single >>desc=$0 >>ptype=regexp >>context=UNKNOWN_REPORT >>pattern=^UNKNOWN >>action=add UNKNOWN_REPORT > [ rule 3 ] >>type=single >>desc=$0 >>continue=takenext >>ptype=regexp >>pattern=^UNKNOWN >>action=create UNKNOWN_REPORT 30 report UNKNOWN_REPORT /usr/bin/mutt -s >>"SEC: Unknown log entries report" [EMAIL PROTECTED] > [ rule 4 ] >>type=single >>desc=$0 >>ptype=regexp >>pattern=^UNKNOWN >>action=add UNKNOWN_REPORT > > I'm not seeing anything obvious. What does the log file report as the > sequence of events? Also try using > > kill -USR1 <sec pid> > > to dump the internal state of SEC at various points. I would expect > (when rule 4 is combined into rule 3 as I mention below): > > > dump after startup > there should be no defined UNKNOWN_REPORT > the counts for each rule should be 0 > > dump after sending the first unknown event > the context UNKNOWN_REPORT should have the event > rule 1, 3 should both have a count of 1 > > dump after sending the second unknown event > the context UNKNOWN_REPORT should have the event > rule 1, 2, 3 should all have a count of 1 > > dump after the context times out > there should be no defined UNKNOWN_REPORT > rule 1, 2, 3 should all have a count of 1 > > dump after sending a third unknown event > the context UNKNOWN_REPORT should have the event > rule 1, 3 should both have a count of 2 > > dump after sending a fourth unknown event > the context UNKNOWN_REPORT should have the event > rule 1, 2, 3 should all have a count of 2 > > dump after another context timeout > there should be no defined UNKNOWN_REPORT > rule 1, 2, 3 should all have a count of 1 > > Comparing what you get against the list above may lead you to the > solution. > > Also as a point of style/performance, I would delete the 4th rule and > make the third rule: > > type=single > desc=$0 > ptype=regexp > pattern=^UNKNOWN > action=create UNKNOWN_REPORT 30 report UNKNOWN_REPORT \ > /usr/bin/mutt -s "SEC: Unknown log entries report" [EMAIL PROTECTED];\ > add $0 > context= !UNKNOWN_REPORT > > so you do the create and add of UNKNOWN_REPORT in the same rule and > make sure the create won't run if UNKNOWN_REPORT is not defined. > > -- > -- rouilj > John Rouillard > =========================================================================== > My employers don't acknowledge my existence much less my opinions. > ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
