Re: [Simple-evcorr-users] Looking for advice on a creating sec rule for a problem...

Thu, 20 Jan 2011 12:42:10 -0800 

On 1/20/2011 11:26 AM, Morris, Christopher wrote:


Background:


·SEC is used to monitor syslog messages from a large number of 
machines on a centralized syslog server.



·We have an in-house application logging messages that I want to 
report to the developer when we see a certain threshold hit.


Sample Syslog messages:


Jan 19 16:10:02 cto975 logger[11579]: CVGALERT: Liberty app at 
vm972:5260 is not responding.



Jan 19 16:10:04 labb04 logger[8814]: CVGALERT: Liberty app at 
labb04.dev.sabre.com:28000 is not responding.



Jan 19 16:11:01 vm975 logger[11590]: CVGALERT: Liberty app at 
vm972:5260 is not responding.



Jan 19 16:11:01 labb04 logger[12037]: CVGALERT: Liberty app at 
labb04.dev.sabre.com:28000 is not responding.



Jan 19 16:11:01 vm973 logger[11640]: CVGALERT: Liberty app at 
vm972:5260 is not responding.



Jan 19 16:11:01 vm974 logger[11675]: CVGALERT: Liberty app at 
vm972:5260 is not responding.



Jan 19 16:11:01 vm976 logger[11575]: CVGALERT: Liberty app at 
vm972:5260 is not responding.



Jan 19 16:11:01 vm977 logger[11661]: CVGALERT: Liberty app at 
vm972:5260 is not responding.



Listed below are the two rules I use to capture syslog messages and 
report them when a threshold of 20 messages is reached.


type=SingleWithThreshold

continue=takenext

ptype=RegExp

pattern=:\d\d \S+ .*Liberty app at (\S+) (.*)

desc=Liberty at host:port $1 reporting $2


action=report liberty_$1 /usr/bin/mailx -s "%s"  [email protected] 
[email protected]; \


        delete liberty_$1

window=21600

thresh=20

type=single

ptype=regexp

pattern=:\d\d \S+ .*Liberty app at (\S+) (.*)

desc=Liberty error messages

action=add liberty_$1 $0




I may be missing something, but I don't see that you're actually doing 
anything with the context you're adding to in rule #2.  If it's not used 
for anything, then you're right: it's redundant.  It looks to me like 
all your work's being done in the first rule, and the second is just 
saving a value that's never used anywhere.

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users






















					Reply via email to