hi all,
*Sorry I made a Typo mistake in my previous mail.*
I am having a slight problem may be some of you can just take a look
and figure it out.
I am assigning a some value to a variable using eval in Rule 1. and
then using the same value all over in other rule set.
but i m not sure why other rules is not able to recognize the pattern.
following are the rules;
rule 1:
--------
type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*CRITICAL*);(HARD|SOFT);(\d).+$
context=!$1-MMSD-$2-$3
desc=Fault-event:
action=create $1-MMSD-$2-$3; \
*eval %h ( $h = "$1"); \*
write /usr/local/etc/SEC_Log_Pipe [%u] %s %h-MMSD-$2-CRITICAL
is $3; \
event *%h-MMSD-Service-Problem*;
### $1 = hostname, $2=fault, $3=flag (i.e. CRITICAL)
rule 2:
--------
type=single
ptype=substr
pattern=*%h-MMSD-Service-Problem*
context=*%h-*MMSD-mm_error-CRITICAL && *%h*-MMSD-mq_error-CRITICAL &&
*%h*-MMSD-ms_error-CRITICAL
desc=Problem Detected:
action= write - [%t] %s; \
write /usr/local/etc/SEC_Log_Pipe [%u] %s *%h*-MMSD-Service;
rule 3:
----------
type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*OK*);(HARD|SOFT);(\d).+$
desc=OK event received: removing context %h-MMSD-$2-$3
context=*%h*-MMSD-$2-CRITICAL
action=write %s; \
delete %h-MMSD-$2-CRITICAL;
###########################################################
for given sample data it only matches Rule 1 but never matches Rule 2
or Rule 3.
Sample Input Data:
-----------------------------
[1284336000] CURRENT SERVICE STATE:
cmtest01;mm_eror;CRITICAL;HARD;1;Agent Service
[1284336000] CURRENT SERVICE STATE:
cmtest01;mq_eror;CRITICAL;HARD;1;Agent Service
[1284336000] CURRENT SERVICE STATE:
cmtest01;ms_eror;CRITICAL;HARD;1;Agent Service
# after this all contexts has been created and Rule 2
should be applied, but this is not happening here
[1284336000] CURRENT SERVICE STATE: cmtest01;mm_eror;OK;HARD;1;Agent
Service
[1284336000] CURRENT SERVICE STATE: cmtest01;mq_eror;OK;HARD;1;Agent
Service
[1284336000] CURRENT SERVICE STATE: cmtest01;ms_eror;OK;HARD;1;Agent
Service
# rule 3 should execute, but again eventually this is
not happeining in this case
note: %h is cmtest01 (hostname)
if instead of using %h, I place 'cmtest01' then everthing works fine.
can anybody suggest what is wrong here.
thanks and regards
--
Kind Reagrds/Mit freundlichen Grüßen
M Haris Farooque
------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a
Billion" shares his insights and actions to help propel your
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Ok I managed to fixed it but I am still not sure with SEC behaviour in
treating internal Variable. In my Rule 2 and Rule 3, i made one change
and it starts working as it should be. the changes I made are
highlighted in '*GREEN*'
Rule 2:
---------
type=single
ptype=*regexp*
pattern=*^(\w+)-MMSD-Service-Problem*
context=*$1-*MMSD-mm_error-CRITICAL && **$1**-MMSD-mq_error-CRITICAL &&
*$1*-MMSD-ms_error-CRITICAL
desc=Problem Detected:
action= write - [%t] %s; \
write /usr/local/etc/SEC_Log_Pipe [%u] %s *%h*-MMSD-Service;
rule 3:
----------
type=Single
ptype=regexp
pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*OK*);(HARD|SOFT);(\d).+$
desc=OK event received: removing context $1-MMSD-$2-$3
context=**^(\w+)**-MMSD-$2-CRITICAL
action=write %s; \
delete %h-MMSD-$2-CRITICAL; ## Delete Context with %h. its
Working but ???
If the scope of the Variable is extened across different rules and
across different files then why here it is not able to retrieve the
value of '%h'. it is surprising that, In Rule 3, I am still able to
delete the context by using %h.
--
Kind Reagrds/Mit freundlichen Grüßen
M Haris Farooque
------------------------------------------------------------------------------
The Next 800 Companies to Lead America's Growth: New Video Whitepaper
David G. Thomson, author of the best-selling book "Blueprint to a
Billion" shares his insights and actions to help propel your
business during the next growth cycle. Listen Now!
http://p.sf.net/sfu/SAP-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
