[Simple-evcorr-users] _INTERNAL_EVENT not being set when processing 'event' action event

Sun, 26 Jul 2009 13:08:49 -0700 

Hi all:

I have been running through my examples for a class I am teaching in
November and came across the following bug. In the sec 2.5.2 man page,
it says that the context _INTERNAL_EVENT:

  If the line was created with the event action, the name of the
  internal context is _INTERNAL_EVENT.

However that seems to not be working. Using the ruleset:

  type = singlewithscript
  desc = test internal event
  ptype = regexp
  context = eventgen
  pattern = generate
  script = /bin/cat
  action = delete eventgen

  type = single
  desc = generate internal event
  ptype = regexp
  pattern = generate
  context = ! eventgen
  action = create eventgen; event $0

and running with:

   sec -conf event_context_test.sr -input=-

I start it up and type in "generate event"(my input is outdented) and see:

  SEC (Simple Event Correlator) 2.5.2
    Reading configuration from event_context_test.sr
    2 rules loaded from event_context_test.sr
  generate event
    Creating context 'eventgen'
    Creating event 'generate event'
    Child 29552 created for command '/bin/cat'
    eventgen (*)
    Child 29552 terminated with exitcode 0
    Deleting context 'eventgen'
    Context 'eventgen' deleted

the "eventgen" context is shown (*), but no _INTERNAL_EVENT
context. If I change the context value on the first rule from:

  context = eventgen

to

  context = eventgen && _INTERNAL_EVENT

I see:

  generate event
    Creating context 'eventgen'
    Creating event 'generate event'
  generate event

so the SingleWithScript rule doesn't fire. This is using cygwin 1.7
and 2.5.2 of SEC, but I claim it's going to be a problem on any
system.

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to