Exclude the data time stamp. -- 'ooroo
Mike...(:)-) --------------------------------------------------- Email: [EMAIL PROTECTED] o Work: + 44 (0)1344 392538 o ///// Mob: + 44 (0)7785 762976 /@ `\ /) ~ Bv: 7-5070 > (O) X< ~ You need only two tools. `\___/' \) ~ A hammer and duct tape. \|\ If it doesn't move and it should use the hammer. If it moves and shouldn't, use the tape. =================================================== For Tektronix legal entity info and registration details goto http://www.tek.com/entities --------------------------------------------------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hari Sekhon Sent: 07 July 2008 16:15 To: [email protected] Subject: [Simple-evcorr-users] Suppression doesn't work if event is slightly differently timestamped. Hi, I'm using Sec for event correlation and alerting and am finding myself trying to figure out how to suppress similar but not identical events. I have used SingleWithSuppress to suppress an event but if the event text is slightly different I find that it does not really suppress it. eg. Jul 3 12:33:49 hostname sshd[4801]: Invalid user UserXYZ from x.x.x.x will be suppressed but then Jul 3 12:33:56 hostname sshd[4801]: Invalid user UserXYZ from x.x.x.x will not be because the prefix timestamp has changed and made the log event look different, so the action will apply to this, even if it is within the suppression period of the first event of the same type. I figure I can add them to a context to store them like that, which I've done, but I'd also like the ability to threshold or suppress for those contexts as well as I don't want that context to have too many entries of the same event. Anybody got any ideas on this? -h -- Hari Sekhon ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------- Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
