Hari, the problem you have can be tackled in a simple way -- an appropriate value must be chosen for the 'desc' parameter of the SingleWithSuppress rule. Since you mentioned the problem of changing timestamps, I suppose that right now you probably have 'desc=$0' in your rule definition.
Since the 'desc' parameter is evaluated for each matching event and forms the event correlation key, *and* $0 equals to the entire matching line (including the timestamp!), the event correlation key will be different for each matching event. As a consequence, a new event correlation operation is started for each matching event, and thus no event suppression is done. If you would like to suppress repeated invalid user events for the same user name, use the following 'pattern' and 'desc': pattern=sshd\[\d+\]: Invalid user (\S+) from \S+ desc=Failed login for user $1 If you would like to suppress such events for all user names for a certain time frame, you could rewrite 'desc' as: desc=Failed logins for all users In that way, the event correlation key is constant for all "Invalid user" events, and all such events will be correlated by one operation only. Finally, the following section of the SEC man page describes the role of the 'desc' field in the event correlation process: http://kodu.neti.ee/~risto/sec/sec.pl.html#lbAT. Have a look at this, because it explains the relationship between rules and event correlation operations. hth, risto > From: Hari Sekhon <[EMAIL PROTECTED]> > Subject: [Simple-evcorr-users] Suppression doesn't work if event is slightly > differently timestamped. > To: [email protected] > Date: Monday, July 7, 2008, 8:14 AM > Hi, > > I'm using Sec for event correlation and alerting and > am finding > myself trying to figure out how to suppress similar but not > identical > events. > > I have used SingleWithSuppress to suppress an event but if > the event > text is slightly different I find that it does not really > suppress it. > > eg. > > Jul 3 12:33:49 hostname sshd[4801]: Invalid user UserXYZ > from x.x.x.x > > will be suppressed but then > > Jul 3 12:33:56 hostname sshd[4801]: Invalid user UserXYZ > from x.x.x.x > > will not be because the prefix timestamp has changed and > made the log > event look different, so the action will apply to this, > even if it is > within the suppression period of the first event of the > same type. > > I figure I can add them to a context to store them like > that, which I've > done, but I'd also like the ability to threshold or > suppress for those > contexts as well as I don't want that context to have > too many entries > of the same event. > > Anybody got any ideas on this? > > -h > > -- > Hari Sekhon > > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE > NOW! > Studies have shown that voting for your favorite open > source project, > along with a healthy diet, reduces your potential for > chronic lameness > and boredom. Vote Now at > http://www.sourceforge.net/community/cca08 > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
