I am interested in doing topN reports utilizing contexts and report from
sec itself, I am running into problems and I am looking for ideas to
solve them.
I use SEC as an adjunct to my network management system. The event logs
have been formatted such that a regexp that will match
looks like:
pattern=View: \S+ Event: (.+) Severity: \S+ Source: (\S+) .* Details: (.*)
I regularly try to provide 2D histograms or counts of events and event
sources via shell scripting (where ### represents a count of event or
event_source) that crudely look like:
event1: #####
event1_source1: ####
event1_source2: ####
[....]
event1_source3: ####
event2: #####
event2_source1: ####
event2_source2: ####
[....]
event2_source3: ####
Is there any way to do this with SEC? How do I access or count the
contexts without accessing the guts of SEC?
type=Single
ptype=regexp
continue=Cont
pattern=View: \S+ Event: (.+) Severity: \S+ Source: (\S+) .* Details: .*
action=create "EVENT_$1" 86400; create "EVENT_SOURCE_$1_$2" 86400
I believe Risto previously wrote an example of how to dump contexts to
stdout on a SEC_SHUTDOWN. Can I use something like that to dump and
count contexts?
type=Single
ptype=regexp
desc=print contexts
pattern=printme
action=eval %o ( while($context = each(%main::context_list)) {\
print "Context name: $context\n"; \
print '-' x 60, "\n"; \
foreach $line (@{$main::context_list{$context}->{"Buffer"}}) {\
print $line, "\n"; \
}\
print '=' x 60, "\n"; \
})
Ref: http://simple-evcorr.sourceforge.net/FAQ.html#3.23
View: cust1 Event: Node_Down Severity: Critical Source: myhost Details:
testing 1 2 3
[peif...@bastion-1 TIM]$ sec.pl -conf=sec.test.cfg -input=- -log=-
-debug=7SEC (Simple Event Correlator) 2.4.1
Mon Jan 18 12:38:36 2010: SEC (Simple Event Correlator) 2.4.1
Reading configuration from sec.test.cfg
Mon Jan 18 12:38:36 2010: Reading configuration from sec.test.cfg
2 rules loaded from sec.test.cfg
Mon Jan 18 12:38:36 2010: 2 rules loaded from sec.test.cfg
View: cust1 Event: Node_Down Severity: Critical Source: myhost Details:
testing 1 2 3
printme
Evaluating code 'while($context = each(%main::context_list)) { print
"Context name: $context\n"; print '-' x 60, "\n"; foreach $line
(@{$main::context_list{$context}->{"Buffer"}}) { print $line,
"\n"; } print '=' x 60, "\n"; }' and setting variable
'%o'
Mon Jan 18 12:38:49 2010: Evaluating code 'while($context =
each(%main::context_list)) { print "Context name: $context\n";
print '-' x 60, "\n"; foreach $line
(@{$main::context_list{$context}->{"Buffer"}}) { print $line,
"\n"; } print '=' x 60, "\n"; }' and setting variable
'%o'
Variable '%o' set to ''
Mon Jan 18 12:38:49 2010: Variable '%o' set to ''
Please advise,
Tim
--
Tim Peiffer
Network Support Engineer
Office of Information Technology
University of Minnesota/NorthernLights GigaPOP
------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
