Hi, I'm using Sec for event correlation and alerting and am finding myself trying to figure out how to suppress similar but not identical events.
I have used SingleWithSuppress to suppress an event but if the event text is slightly different I find that it does not really suppress it. eg. Jul 3 12:33:49 hostname sshd[4801]: Invalid user UserXYZ from x.x.x.x will be suppressed but then Jul 3 12:33:56 hostname sshd[4801]: Invalid user UserXYZ from x.x.x.x will not be because the prefix timestamp has changed and made the log event look different, so the action will apply to this, even if it is within the suppression period of the first event of the same type. I figure I can add them to a context to store them like that, which I've done, but I'd also like the ability to threshold or suppress for those contexts as well as I don't want that context to have too many entries of the same event. Anybody got any ideas on this? -h -- Hari Sekhon ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
