Tim, since the 'pattern' fields of both rule definitions are identical, and you haven't set 'continue' field to "TakeNext" in the first definition, a "audit...success=yes" event will never match the second rule. Consequently, no event correlation operations are started by the second rule, and "filter-key=my-second-key" events won't produce any effect. Please add "continue=TakeNext" to the first rule and check whether this fixes the problem. hth, risto
--- On Fri, 8/1/08, Tim Rupp <[EMAIL PROTECTED]> wrote: > From: Tim Rupp <[EMAIL PROTECTED]> > Subject: [Simple-evcorr-users] pair pattern question > To: [email protected] > Date: Friday, August 1, 2008, 9:36 PM > Hi list, > > I was wondering if you can re-use a pattern with multiple > pattern2's in > a pair. > > For example if I had 2 pairs > > # pair 1 > type=pair > ptype=regexp1 > pattern=audit\(\d+).*success\=yes\s > desc="Successful command execution" > action=none > ptype2=regexp1 > pattern2=audit\(\d+\.\d+\:($1)\)\:.*filterkey\=my-first-key > desc2=$0 > action2=shellcmd /do/something > > > > and > > > > # pair 2 > type=pair > ptype=regexp1 > pattern=audit\(\d+).*success\=yes\s > desc="Successful command execution" > action=none > ptype2=regexp1 > pattern2=audit\(\d+\.\d+\:($1)\)\:.*filterkey\=my-second-key > desc2=$0 > action2=shellcmd /do/something/else > > > > If they both have the same initial pattern, is it possible > for the > second pair to ever be met? I guess I'm having that > problem. The first > pattern occurs often in my log files, and I really just > want to make a > decision based on the second pattern (if the first pattern > is also met). > I'm not seeing SEC match the second pair's pattern2 > though. I think it > may be because it's waiting for the first pair's > pattern2??? > > Can someone clarify this? I think a workaround is to > specify a bunch of > OR cases in my second pattern, but that's less than > ideal because there > may be many OR cases in the future. > > Thanks in advance, > Tim > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move > Developer's challenge > Build the coolest Linux based applications with Moblin SDK > & win great prizes > Grand prize is a trip for two to an Open Source event > anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
