On 02/18/2011 01:48 AM, [email protected] wrote:
> I want to do a 'alert if more than X events in Y min' type of thing, but
> with the resulting alert containing the logs of the X events.
>
> I know that I can do something along the lines of
>
> if event
> add log message to context (with an expiration of the context)
>
> if more than X event in Y min
> send report
>
> but my problem is that these events are continuing to arrive all the time,
> so if I append the log message to the context and update the expiration of
> the context to a later time, _every_ instance of the event will end up in
> the report, and the context will grow without bound.
>
> is there any way to just report on the events that happened within the
> window?
>
> David Lang
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
David,
you have asked a very good question -- in fact, this question was part
of the motivation behind the EventGroup rule design in SEC-2.6. In 2.5
and earlier versions, it was not easy to achieve context pruning during
counting operations, since it was impossible to execute actions after
window sliding. Fortunately, the EventGroup rule can be viewed as a
generalization of SingleWithThreshold rule that implements this feature
through the 'slide' field:
type=EventGroup
ptype=RegExp
pattern=Event: (\S+)
desc=count $1 events
action=report EVENTS_$1 /bin/cat
window=10
thresh=5
init=create EVENTS_$1
end=delete EVENTS_$1
count=add EVENTS_$1 %u: %t: Event $1 was seen
slide=getwpos %start 0; copy EVENTS_$1 %context; \
lcall %result %start %context -> ( sub { my($t) = $_[0]; \
my(@events) = (); foreach my $event (split(/\n/, $_[1])) { \
@fields = split(/:/, $event); if ($fields[0] >= $t) { \
push @events, $event; } } return @events; } ); \
fill EVENTS_$1 %result
The 'slide' field specifies an action that gets executed immediately
after the event correlation window has been moved for the operation, and
in the case above, we are using this action for dropping all events that
are outside the repositioned window. This raises another important
question -- how to determine the beginning of the repositioned window?
For this purpose, we can use the 'getwpos' action that appeared in
version 2.6 -- in the case above, the event correlation operation
harnesses this for determining the beginning of its own window, and
assigns the result to the %start variable. The content of the reporting
context is the assigned to the variable %context, and both %start and
%context are passed to Perl subroutine given with the 'lcall' action
which drops all events with older timestamps than %start. The remaining
events are returned from the Perl subroutine and assigned to variable
%result, which is then used for overwriting the reporting context.
In order to simplify things and increase the readability, I've been
thinking about adding simple compound statements to SEC action lists
which would allow looping over groups of actions and also conditional
execution (in if-then-else style). These conditionals would allow for
simpler scripting tasks inside action lists, and if shift/unshift style
actions are present for contexts, the above Perl subroutine could be
expressed in these terms. But this is something for future releases :)
Hope that this helps,
risto
------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
