In message <[EMAIL PROTECTED]>,
Risto Vaarandi writes:
>I would recommend 'event' action for creating new events from existing ones,
> since this action is most appropriate for this task.
As would I.
>If you would like to resolve an IP address, you could use employ
>'eval' action with 'event':
>
>type=Single
>ptype=regexp
>pattern=Peer (\S+) down
>desc=My peer at $1 went down
>action=eval %hostname ( $line = `/usr/bin/host $1`; \
> if ($line =~ /domain name pointer ([\w\.\-]+)/) { "$$1"; } \
> else { "$1"; } ); \
> event My peer %hostname ($1) is down
>
One thing you do have to do is to make sure that the new event is
captured before it triggers the same event. In this case the newly
synthesized event:
My peer hostname (1.2.3.4) is down
doesn't match the original event regular expression:
pattern=Peer (\S+) down
But if the newly synthesized event was instead:
My Peer hostname (1.2.3.4) is down
it would match and result in some fun. Also if somebody can synthesize
events such as: "Peer `/tmp/dosomethingnasty` down" using say
logger(1). Well things may get interesting.
So the guideline here is use very specific regular expressions. In
this example I would use (at minimum):
^Peer ([0-9.]+) down
to match the original event:
Peer 1.2.3.4 down
This prevents:
1. execution of anything that is unsafe. If you expect to extract
a particular sequence of characters make your regexp match exactly
that sequence.
2. having the rule match the newly synthesized event accidently
I have had one occasion where capitalization of the initial event
changed based on the software release of the originating system. To
make thing work again they added (?i) to the beginning of the
regexp. This makes the regexp a case insensitive match.
Hilarity ensued as the only difference between a newly synthesized
event and the original one was in the case of the output. Can you say
infinite loop?
Since events generated using event are processed before any of the
file inputs, the SEC process just stalled processing the one event
over and over again and doing nothing else useful.
While the way Risto presented is the most straight forward, you can
also:
have a reporting program/script perform the lookup.
use a program spawned from the sec script to perform a lookup. A
program spawned from a script will have it's stdout submitted as
events. Have sec write the event to a named pipe, the spawned
script performs the hostname lookup (possibly using a cache so it
doesn't have to query DNS as often). Then the spawned script
prints the new event to stdout to have the script process.
depending on your needs.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
