hi Mike, I have almost completed two possible example solutions to the problem, but after seeing your e-mail I have an inkling I've got the problem statement wrong :( So far I had an impression that you would like to do some clever pairwise correlation for events that are matched by (almost) identical regular expressions. (Just a note: if the expressions are almost the same, it is actually a bit tricky with Pair* rules.) However, from the example I've got an understanding that you would simply like to suppress duplicate alarms for within a given time window, provided that *both* the MAC address and the network are the same. Is my understanding correct? If so, you could try the following rule:
type=SingleWithSuppress ptype=RegExp pattern=\S+\s+\S+\s+\S+\s+\S+ dhcpd: DHCPDISCOVER from (\S+) via \S+ network (\S+): no free leases desc=$2 no free leases for MAC $1 action=send email window=120 If I didn't get it quite right, I'll post my two example solutions :) kind regards, risto On 10/01/2010 07:03 PM, Mike Rykowski wrote: > What I tried before was similar. Here is the log message I am talking > about: > > Sep 30 14:27:30 host dhcpd: DHCPDISCOVER from 00:00:00:00:00:00 via > 1.2.3.4: network 1.2.3/23: no free leases > > 'A' is the mac address and 'B' is the network. > > > type=PairWithWindow > ptype=RegExp > pattern=\S+\s+\S+\s+\S+\s+\S+ dhcpd: DHCPDISCOVER from (\S+) via \S+ > network (\S+): no free leases > desc=$2 no free leases > action=none > ptype2=RegExp > pattern2=\S+\s+\S+\s+\S+\s+\S+ dhcpd: DHCPDISCOVER from ^($1) via \S+ > network ($2): no free leases > desc2=$2 no free leases action > action2=send email > window=120 > > > > On Fri, 2010-10-01 at 11:12 -0400, John P. Rouillard wrote: >> Hello: >> >> In message<1285944684.24023.5.ca...@kittyhawk.ittns.northwestern.edu>, >> Mike Rykowski writes: >>> I'm trying to do something simple and I must be missing something >>> obvious. >>> >>> I have a log message of the form 'blah A blah B'. There could be >>> duplicates of the exact same message that I want to ignore but if >>> another message comes in with not A but B within a time period I want to >>> do an action. >>> >>> For example 'blah A blah B' and within say 2 minutes I get a message >>> 'blah !A blah B' then do action. >>> >>> I tried doing the above with a pair rule but it does not work. >> >> I think you want a PairWithWindow rule not a pair rule. >> >> See if: >> >> type = pairwithwindow >> desc = match starting line and extract elements >> ptype = regexp >> pattern = blah (\w+) blah (\w+) >> rem = action if event B does not occur after event a within window >> action = none >> desc2 = match not first element with second element >> ptype2 = substr >> pattern2 = blah [!]$1 blah $2 >> rem = action if event B occurs after event a within window >> action2 = .... >> window = 120 >> >> does what you want. >> >> -- >> -- rouilj >> John Rouillard >> =========================================================================== >> My employers don't acknowledge my existence much less my opinions. ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
