Hi all:
I have been running through my examples for a class I am teaching in
November and came across the following bug. In the sec 2.5.2 man page,
it says that the context _INTERNAL_EVENT:
If the line was created with the event action, the name of the
internal context is _INTERNAL_EVENT.
However that seems to not be working. Using the ruleset:
type = singlewithscript
desc = test internal event
ptype = regexp
context = eventgen
pattern = generate
script = /bin/cat
action = delete eventgen
type = single
desc = generate internal event
ptype = regexp
pattern = generate
context = ! eventgen
action = create eventgen; event $0
and running with:
sec -conf event_context_test.sr -input=-
I start it up and type in "generate event"(my input is outdented) and see:
SEC (Simple Event Correlator) 2.5.2
Reading configuration from event_context_test.sr
2 rules loaded from event_context_test.sr
generate event
Creating context 'eventgen'
Creating event 'generate event'
Child 29552 created for command '/bin/cat'
eventgen (*)
Child 29552 terminated with exitcode 0
Deleting context 'eventgen'
Context 'eventgen' deleted
the "eventgen" context is shown (*), but no _INTERNAL_EVENT
context. If I change the context value on the first rule from:
context = eventgen
to
context = eventgen && _INTERNAL_EVENT
I see:
generate event
Creating context 'eventgen'
Creating event 'generate event'
generate event
so the SingleWithScript rule doesn't fire. This is using cygwin 1.7
and 2.5.2 of SEC, but I claim it's going to be a problem on any
system.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
