hi all,
I am having a slight problem may be some of can just take a look and
figure it out.
I am assigning a some value to a variable using eval in Rule 1. and then
using the same value all over in other rule set.
but i m not sure why other rules is not able to recognize the pattern.
for given sample logs data i only matches Rule 1 but never matches Rule
2 or Rule 3.
Sample Input Data:
-----------------------------
[1284336000] CURRENT SERVICE STATE:
cmtest01;mm_eror;CRITICAL;HARD;1;Agent Service
[1284336000] CURRENT SERVICE STATE:
cmtest01;mq_eror;CRITICAL;HARD;1;Agent Service
[1284336000] CURRENT SERVICE STATE:
cmtest01;ms_eror;CRITICAL;HARD;1;Agent Service
# after this all contexts has been created and Rule 2
should be applied, but this is not happening here
[1284336000] CURRENT SERVICE STATE: cmtest01;mm_eror;OK;HARD;1;Agent Service
[1284336000] CURRENT SERVICE STATE: cmtest01;mq_eror;OK;HARD;1;Agent Service
[1284336000] CURRENT SERVICE STATE: cmtest01;ms_eror;OK;HARD;1;Agent Service
# rule 3 should execute, but again eventually this is
not happeining in this case
note: %h is cmtest01 (hostname)
following are the rules;
rule 1:
--------
type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error_ms_error);(*CRITICAL*);(HARD|SOFT);(\d).+$
context=!$1-MMSD-$2-$3
desc=Fault-event:
action=create $1-MMSD-$2-$3; \
*eval %h ( $h = "$1"); \*
write /usr/local/etc/SEC_Log_Pipe [%u] %s %h-MMSD-$2-CRITICAL
is $3; \
event *%h-MMSD-Service-Problem*;
### $1 = hostname, $2=fault, $3=flag (i.e. CRITICAL)
rule 2:
--------
type=single
ptype=substr
pattern=*%h-MMSD-Service-Problem*
context=*%h-*MMSD-mm_error-CRITICAL && *%h*-MMSD-mq_error-CRITICAL &&
*%h*-MMSD-ms_error-CRITICAL
desc=Problem Detected:
action= write - [%t] %s; \
write /usr/local/etc/SEC_Log_Pipe [%u] %s *%h*-MMSD-Service;
rule 3:
----------
type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error_ms_error);(*OK*);(HARD|SOFT);(\d).+$
desc=OK event received: removing context %h-MMSD-$2-$3
context=*%h*-MMSD-$2-CRITICAL
action=write %s; \
delete %h-MMSD-$2-CRITICAL;
if instead of using %h, I place 'cmtest01' then everthing works fine.
can anybody suggest what is wrong here.
thanks and regards
--
Kind Reagrds/Mit freundlichen Grüßen
M Haris
------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a
Billion" shares his insights and actions to help propel your
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users