Re: [Simple-evcorr-users] Help with rule

Fri, 01 Oct 2010 09:49:15 -0700 

In message <1285950348.25147.9.ca...@kittyhawk.ittns.northwestern.edu>,
Mike Rykowski writes:
>What I want to do is ignore subsequent messages if the mac and network
>are the same. But if a subsequent message has the same network but
>different mac then send email. 

Ahh, so I have the wrong problem description too.

> ... dhcpd: DHCPDISCOVER from 00:00:00:00:00:00 via 1.2.3.4: network 1.2.3/23: 
> no free leases


I haven't had a chance to test this but I think it should work. Try
the following:

  type = pair
  desc = match starting line and extract elements
  ptype = regexp
  pattern = dhcpd: DHCPDISCOVER from \S+ via \S+ network (\S+) no free leases
  context = ! network_$1
  rem = action when event A arrives
  action = create 120 context_$1

  desc2 = match event on same network but for different ethernet address
  ptype2 = substr
  pattern2 = dhcpd: DHCPDISCOVER from (\S+) via \S+ network $1 no free leases
  rem = action when event B arrives within window
  action2 = ....
  window = 120

If another 

  ... from 00:00:00:00:00:00 via 1.2.3.4: network 1.2.3/23: no free leases

comes through, it is suppressed automatically because it matches the
trigger event as specified by "pattern". If an event like:

 ... from 11:11:11:11:11:11 via 1.2.3.4: network 1.2.3/23: no free leases

comes through, it doesn't trigger pattern 1 because the context
network_1.2.3/23 (network_$1) exists for 2 minutes after the
triggering event. However it does match pattern 2.

If an event:

  ... from 00:01:00:00:00:00 via 1.2.3.4: network 1.2.3.0/24: no free leases

comes through, it won't match "pattern2" since $1 is set to 1.2.3/23 (it may
match "pattern" and start a new correlation operation though).

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to