Well... the desc field *is* the key for event correlation operations, and it has been so since the very first release. Although in some cases it might seem nice to employ the context for event correlation key, there are many scenarios where having a separate context is needed (e.g., counting events across many nodes, so that event from any given node is counted only once). br, risto
> > I found what I believe is a bug because the behavior seems > wrong in handling 2 events linked with a variable context. > > Take for instance these rules: > > #1A > > type=Single > > ptype=RegExp > > pattern=test for (\S+) > > desc=Event detected for $1 > > action=add EVENT_$1 $0; > > continue=TakeNext > > > > #2A > > type=SingleWithThreshold > > window=86400 > > thresh=2 > > ptype=RegExp > > pattern=test for (\S+) > > desc=Additional Event Detected > > context=EVENT_$1 > > action=logonly "Threshold has been reached!"; > > I would imagine that for 2 events, where the variable is > different, the threshold would *not* be reached. > > eg: > > echo "test for foo" >> /var/log/test-syslog > > echo "test for bar" >> > /var/log/test-syslog > > However, the threshold *is* reached: > > > Mon Jul 26 19:28:07 2010: Adding event 'test for foo' > to context 'EVENT_foo' > > Mon Jul 26 19:28:07 2010: Adding event 'test for bar' > to context 'EVENT_bar' > > Mon Jul 26 19:28:07 2010: "Threshold has been > reached!" > > After trial and error I discovered the cause is that the > desc is the same inside the 2 created contexts. If you add > the variable to the desc in your second rule the problem > goes away: > > #2B > > type=SingleWithThreshold > > window=86400 > > thresh=2 > > ptype=RegExp > > pattern=test for (\S+) > > desc=Additional Event Detected $1 > > context=EVENT_$1 > > action=logonly "Threshold has been reached!"; > > Arguably, 2B is a more descriptive rule and should be used > instead of 2A - but this behavior is not the behavior an end > user would expect. One would expect that in the event store > the context is the key, and the description is the value, > and that the value could be anything. > > Thanks everyone for all contributions to SEC (especially > Risto Vaarandi) - it's an awesome tool. > > -Chris > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use > the > Plug-In Development Kit to bring their C/C++ apps to Palm > for a share > of $1 Million in cash or HP Products. Visit us here for > more details: > http://ad.doubleclick.net/clk;226879339;13503038;l? > http://clk.atdmt.com/CRS/go/247765532/direct/01/ > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
