On 01/20/2011 06:50 PM, Kim Scarborough wrote: > Risto Vaarandi wrote: >> As I understand, you would like to do some sort of balance checking if >> every foo has a corresponding bar? The event correlation operations >> that Pair and PairWithWindow rules trigger actually consume repeated >> instances of the first event silently (in your case foo). In the case >> of your rule, mail will only be sent if no "bar" appears at all within >> 2 seconds after "foo". > > Hmm. That's actually not the behavior I'm seeing. I logged 3 foos > followed by 3 bars, all within one second, and was sent a notification.
Are you sure they came in exactly that order? I just tested it (in fear that the new alpha version might contain some weird bug), but it all worked fine for me. If you are suspecting the rule is not matching the events it should, you could try dumping event correlation data with SIGUSR1 signal (this would tell you if the rule has matched and started an event correlation operation). > >> My question -- do those events have identifiers which tell which bar >> belongs to which foo? If so, then it would be easy to modify this rule >> -- you would have to match the identifier with the regexp and use it >> the event correlation key (set by the 'desc' field). >> However, if there are no such identifiers and you wish to perform >> counting based balance checking, the task becomes not so simple and >> can be solved with some Perl statements imbedded in SEC rules. > > Yeah, unfortunately there's no unique IDs or anything useful like that. > The real log lines are nearly as generic as my example. The foo and > corresponding bar will always be within a second or two, dunno if that > helps or hurts. OK. Are you perhaps then dealing with a scenario where one "foo" is never immediately followed by another one, but there is always a "bar" between them which belongs to the first "foo"? If that's not the case, then the task becomes somewhat blurry (and so the solution), since it is not clear where the counting window should begin and how exactly define imbalance. kind regards, risto > > ------------------------------------------------------------------------------ > Protect Your Site and Customers from Malware Attacks > Learn about various malware tactics and how to avoid them. Understand > malware threats, the impact they can have on your business, and how you > can protect your company and customers by using code signing. > http://p.sf.net/sfu/oracle-sfdevnl > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
