hi, and sorry for not being able to answer yesterday :( There is an easy explanation to the issue. The %<alnum> variables (which are created by SEC actions) can only be used in action lists, while the $<num> and %<num> match variables (created by patterns) work across entire rule definition. However, %<alnum> variables have the advantage of being visible across all rules. There are several reasons for this -- some %<alnum> variables might not have a value yet when certain parts of the rule are processed (most notably %s); also, some values might not make sense at all (like function pointers). It would also make pattern handling much more complex.
For the rules you are having, I actually see no reason to employ %<alnum> variables, since regular match variables are enough for handling the case. I made a couple of very minor corrections to the rules (hopefully I was able to understand the true meaning of the rules properly). I only removed the setting of %h variable from Rule1, and also changed the 'context' field of Rule3 (previously this field contained a regular expression, but one can only use Boolean expressions in this field): type=Single ptype=regexp pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(CRITICAL);(HARD|SOFT);(\d).+$ context=!$1-MMSD-$2-$3 desc=Fault-event: action=create $1-MMSD-$2-$3; \ write /usr/local/etc/SEC_Log_Pipe [%u] %s %h-MMSD-$2-CRITICAL is $3; \ event $1-MMSD-Service-Problem; type=single ptype=regexp pattern=^(\w+)-MMSD-Service-Problem context=$1-MMSD-mm_error-CRITICAL && $1-MMSD-mq_error-CRITICAL && $1-MMSD-ms_error-CRITICAL desc=Problem Detected: action= write - [%t] %s; \ write /usr/local/etc/SEC_Log_Pipe [%u] %s %h-MMSD-Service; type=Single ptype=regexp pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(OK);(HARD|SOFT);(\d).+$ desc=OK event received: removing context $1-MMSD-$2-$3 context=$1-MMSD-$2-CRITICAL action=write %s; \ delete $1-MMSD-$2-CRITICAL kind regards, risto On 11/05/2010 12:28 PM, M Haris Farooque wrote: > >> hi all, >> *Sorry I made a Typo mistake in my previous mail.* >> >> I am having a slight problem may be some of you can just take a look >> and figure it out. >> I am assigning a some value to a variable using eval in Rule 1. and >> then using the same value all over in other rule set. >> >> but i m not sure why other rules is not able to recognize the pattern. >> following are the rules; >> >> rule 1: >> -------- >> >> type=Single >> ptype=regexp >> pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*CRITICAL*);(HARD|SOFT);(\d).+$ >> context=!$1-MMSD-$2-$3 >> desc=Fault-event: >> action=create $1-MMSD-$2-$3; \ >> *eval %h ( $h = "$1"); \* >> write /usr/local/etc/SEC_Log_Pipe [%u] %s %h-MMSD-$2-CRITICAL >> is $3; \ >> event *%h-MMSD-Service-Problem*; >> >> ### $1 = hostname, $2=fault, $3=flag (i.e. CRITICAL) >> >> rule 2: >> -------- >> type=single >> ptype=substr >> pattern=*%h-MMSD-Service-Problem* >> context=*%h-*MMSD-mm_error-CRITICAL && *%h*-MMSD-mq_error-CRITICAL && >> *%h*-MMSD-ms_error-CRITICAL >> desc=Problem Detected: >> action= write - [%t] %s; \ >> write /usr/local/etc/SEC_Log_Pipe [%u] %s *%h*-MMSD-Service; >> >> rule 3: >> ---------- >> type=Single >> ptype=regexp >> pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*OK*);(HARD|SOFT);(\d).+$ >> desc=OK event received: removing context %h-MMSD-$2-$3 >> context=*%h*-MMSD-$2-CRITICAL >> action=write %s; \ >> delete %h-MMSD-$2-CRITICAL; >> ########################################################### >> >> for given sample data it only matches Rule 1 but never matches Rule 2 >> or Rule 3. >> >> Sample Input Data: >> ----------------------------- >> [1284336000] CURRENT SERVICE STATE: >> cmtest01;mm_eror;CRITICAL;HARD;1;Agent Service >> [1284336000] CURRENT SERVICE STATE: >> cmtest01;mq_eror;CRITICAL;HARD;1;Agent Service >> [1284336000] CURRENT SERVICE STATE: >> cmtest01;ms_eror;CRITICAL;HARD;1;Agent Service >> # after this all contexts has been created and Rule 2 >> should be applied, but this is not happening here >> >> [1284336000] CURRENT SERVICE STATE: cmtest01;mm_eror;OK;HARD;1;Agent >> Service >> [1284336000] CURRENT SERVICE STATE: cmtest01;mq_eror;OK;HARD;1;Agent >> Service >> [1284336000] CURRENT SERVICE STATE: cmtest01;ms_eror;OK;HARD;1;Agent >> Service >> # rule 3 should execute, but again eventually this is >> not happeining in this case >> >> >> note: %h is cmtest01 (hostname) >> >> >> if instead of using %h, I place 'cmtest01' then everthing works fine. >> >> can anybody suggest what is wrong here. >> >> thanks and regards >> -- >> >> Kind Reagrds/Mit freundlichen Grüßen >> >> M Haris Farooque >> >> >> ------------------------------------------------------------------------------ >> The Next 800 Companies to Lead America's Growth: New Video Whitepaper >> David G. Thomson, author of the best-selling book "Blueprint to a >> Billion" shares his insights and actions to help propel your >> business during the next growth cycle. Listen Now! >> http://p.sf.net/sfu/SAP-dev2dev >> >> >> _______________________________________________ >> Simple-evcorr-users mailing list >> Simple-evcorr-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > Ok I managed to fixed it but I am still not sure with SEC behaviour in > treating internal Variable. In my Rule 2 and Rule 3, i made one change > and it starts working as it should be. the changes I made are > highlighted in '*GREEN*' > > Rule 2: > --------- > > type=single > ptype=*regexp* > pattern=*^(\w+)-MMSD-Service-Problem* > context=*$1-*MMSD-mm_error-CRITICAL && **$1**-MMSD-mq_error-CRITICAL && > *$1*-MMSD-ms_error-CRITICAL > desc=Problem Detected: > action= write - [%t] %s; \ > write /usr/local/etc/SEC_Log_Pipe [%u] %s *%h*-MMSD-Service; > > rule 3: > ---------- > type=Single > ptype=regexp > pattern=^\[\d+\]\sCURRENT\sSERVICE\sSTATE:\s(\w+);(mm_error|mq_error|ms_error);(*OK*);(HARD|SOFT);(\d).+$ > desc=OK event received: removing context $1-MMSD-$2-$3 > context=**^(\w+)**-MMSD-$2-CRITICAL > action=write %s; \ > delete %h-MMSD-$2-CRITICAL; ## Delete Context with %h. its > Working but ??? > > > If the scope of the Variable is extened across different rules and > across different files then why here it is not able to retrieve the > value of '%h'. it is surprising that, In Rule 3, I am still able to > delete the context by using %h. > -- > > Kind Reagrds/Mit freundlichen Grüßen > > M Haris Farooque > > > > ------------------------------------------------------------------------------ > The Next 800 Companies to Lead America's Growth: New Video Whitepaper > David G. Thomson, author of the best-selling book "Blueprint to a > Billion" shares his insights and actions to help propel your > business during the next growth cycle. Listen Now! > http://p.sf.net/sfu/SAP-dev2dev > > > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users