version: 2.5.3-1+nmu1 (Debian) I found what I believe is a bug because the behavior seems wrong in handling 2 events linked with a variable context.
Take for instance these rules: > #1A > type=Single > ptype=RegExp > pattern=test for (\S+) > desc=Event detected for $1 > action=add EVENT_$1 $0; > continue=TakeNext > > #2A > type=SingleWithThreshold > window=86400 > thresh=2 > ptype=RegExp > pattern=test for (\S+) > desc=Additional Event Detected > context=EVENT_$1 > action=logonly "Threshold has been reached!"; I would imagine that for 2 events, where the variable is different, the threshold would *not* be reached. eg: > echo "test for foo" >> /var/log/test-syslog > echo "test for bar" >> /var/log/test-syslog However, the threshold *is* reached: > Mon Jul 26 19:28:07 2010: Adding event 'test for foo' to context 'EVENT_foo' > Mon Jul 26 19:28:07 2010: Adding event 'test for bar' to context 'EVENT_bar' > Mon Jul 26 19:28:07 2010: "Threshold has been reached!" After trial and error I discovered the cause is that the desc is the same inside the 2 created contexts. If you add the variable to the desc in your second rule the problem goes away: > #2B > type=SingleWithThreshold > window=86400 > thresh=2 > ptype=RegExp > pattern=test for (\S+) > desc=Additional Event Detected $1 > context=EVENT_$1 > action=logonly "Threshold has been reached!"; Arguably, 2B is a more descriptive rule and should be used instead of 2A - but this behavior is not the behavior an end user would expect. One would expect that in the event store the context is the key, and the description is the value, and that the value could be anything. Thanks everyone for all contributions to SEC (especially Risto Vaarandi) - it's an awesome tool. -Chris ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
