In message <[email protected]>,
Ronald San Juan writes:
>Scenario:The logfile has lines reaching 1600 characters in length.
>
>rule:
>
>type=singlewiththreshold
>ptype=regexp
>pattern=(routing.jsp_servlet._dialogs)
>desc=$0
>action=write - $0
>window=10
>thresh=10
>
>result:
>
>When thresh is set to 10, the rule is loaded but I do not get any
>result. The threshold is definitely being met as the pattern occurs at
>least 10 times per second. When I set the thresh to 1, I get the
>results. Basically, setting the thresh to any number greater than one
>does not trigger the alarm.
This looks like the usual problem using the desc parameter. You state
'the pattern occurs at least 10 times per second' but that is not what
you are actually counting. What you are counting is the number of
occurances of the entire line (i.e. $0). If you just want to count the
pattern, the desc parameter must consist of the pattern you want to
count. Compare
type=singlewiththreshold
ptype=regexp
pattern=(routing.jsp_servlet._dialogs)
desc=$1
action=write - $0
window=10
thresh=10
this with what you have. $0 is replaced with $1.
The behind the scenes stuff that makes this work is described in the
SEC man page, but it basically goes like this:
read a line
if the line matches the pattern of a correlating rule (e.g. pair,
pairwithwindow, singlewiththrehold etc) calculate the desc
parameter for the line
if an existing correlation operating for the same rule with the
same desc parameter exists count the current line as part of
that correlation operation.
if there is no existing correlation operation, start a new one.
In your original case if $0 is different in any respect (timestamp,
line number ...) the desc parameter will be different for every event
and the lines/events will appear to be unrelated.
The easy way to tell if this is happening is to send a kill -USR1 to
the running sec process. It will dump its internal state to
/tmp/sec.dump (make sure the file doesn't exist before sending the
kill or it won't get updated). In the correlation section you will see
multiple operations listed.
>I'm thinking because of the limitation of sysread to 1024 characters, SEC
>is unable to process multiple lines in a singlewiththreshold window.
No, as mentioned in another email the 1024 setting can be changed on
the command line. Also your singlewiththreshold rule is only matching
a single line not multiple lines.
>I tried the same rule to a similar file whose characters per line does not
>exceed 1024 and it works fine.
$0 is probably identical in that case.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
