As I understand, you would like to do some sort of balance checking if every foo has a corresponding bar? The event correlation operations that Pair and PairWithWindow rules trigger actually consume repeated instances of the first event silently (in your case foo). In the case of your rule, mail will only be sent if no "bar" appears at all within 2 seconds after "foo". My question -- do those events have identifiers which tell which bar belongs to which foo? If so, then it would be easy to modify this rule -- you would have to match the identifier with the regexp and use it the event correlation key (set by the 'desc' field). However, if there are no such identifiers and you wish to perform counting based balance checking, the task becomes not so simple and can be solved with some Perl statements imbedded in SEC rules. kind regards, risto
2011/1/20 Kim Scarborough <[email protected]>: > Hello, forgive me if this is a dumb question. > > I set up SEC because I want to get a notification when a line matching > "foo" appears in the log and is not followed by a line matching "bar". I > set up the config like so: > > type=PairWithWindow > ptype=SubStr > pattern=foo > desc=Foo without bar > action=pipe '%s' /bin/mail [email protected] > ptype2=SubStr > pattern2=bar > desc2=S'all cool > action2=none > window=2 > > This works fine for the most part, but sometimes I'll get a sequence > like this: > > foo > foo > foo > bar > bar > bar > > In this case, I still get a notification, but I don't want one. I only > want one if there's a foo without a corresponding bar (so if I got 3 > foos and 2 bars, I *would* want a mail). > > I've tried various settings but I can't seem to get it to behave like I > want. Can anybody point me in the right direction? > > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
