Tim,
I would recommend 'event' action for creating new events from existing ones,
since this action is most appropriate for this task. The 'event' action inserts
a new line into the SEC's input buffer, and this line is matched against all
rules (exactly like a regular input line read from an input file). The 'create'
action only sets up a context that might be useful for activating/deactivating
certain rules, but it doesn't create new SEC input event as such.
If you would like to resolve an IP address, you could use employ 'eval' action
with 'event':
type=Single
ptype=regexp
pattern=Peer (\S+) down
desc=My peer at $1 went down
action=eval %hostname ( $line = `/usr/bin/host $1`; \
if ($line =~ /domain name pointer ([\w\.\-]+)/) { "$$1"; } else {
"$1"; } ); \
event My peer %hostname ($1) is down
This rule uses /usr/bin/host for finding a hostname for a given IP address,
sets %hostname variable accordingly (%hostname is set to IP address if there is
no hostname found), and generates new event with the 'event' action.
Note that this approach forks a new process for each hostname query. If you
would like to avoid fork, load a Perl module for resolving IP addresses at SEC
startup, and call functions of this module instead.
hth,
risto
--- On Sun, 7/27/08, Tim Peiffer <[EMAIL PROTECTED]> wrote:
> From: Tim Peiffer <[EMAIL PROTECTED]>
> Subject: [Simple-evcorr-users] external script or shell command lookup
> To: [email protected]
> Date: Sunday, July 27, 2008, 11:11 AM
> I have a need to augment log information with something
> useful. The
> problem is that I don't know how to feed the results
> back into the log
> stream.
>
> Consider the log entry
>
> "Peer 1.2.3.4 down"
>
> I want to dereference the value 1.2.3.4 into foo.bar.com.
> Do I do this
> as a Single and then create a new event?
>
> type=Single
> ptype=regex
> pattern=Peer (\S+) down
> desc=My peer at $1 went down
> action=shellcmd /usr/bin/host $1 ; create 60 .... ?
>
> I wish to create a new event:
> My peer foo.bar.com (1.2.3.4) is down
>
> Please advise on how best to handle the lookaside and
> augmentation. I
> am confused by the sec.pl man for action= and script=
> configuration items.
>
> Regards,
> Tim Peiffer
> Network Operations Engineer
> Office of Information Technology/NTS
> University of Minnesota/NorthernLights GigaPOP
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move
> Developer's challenge
> Build the coolest Linux based applications with Moblin SDK
> & win great prizes
> Grand prize is a trip for two to an Open Source event
> anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
