2011/3/29 Ludovic Hutin <[email protected]>:
> Hi,
>
> The tools can do so many things, we are not clear what we would
> like to do.
> We will doing, for begining, some easy case.
> Thanks for your code that work perfectly.
>
> Best regards,
> Ludovic.
OK :) If you would like to implement another scenario, it is
relatively easy to draft a ruleset for this as well. Also my previous
example can be written in various different ways -- for example, you
could use Single rule for this and put the content of 'end' and
'count' fields from EventGroup into the 'action' field of Single. In
fact, I posted the previous example for illustrating the capabilities
of the new EventGroup rule type :)
kind regards,
risto
>
> Le 29/03/2011 11:40, Risto Vaarandi a écrit :
>> Ludovic,
>>
>> there are several ways to address the problem, but it depends what
>> exactly you would like to do.
>> Do you want to keep track of different user names, and report current
>> counters for all users once in X minutes, or do you rather want to send
>> a report for each user after the user has been inactive for X minutes?
>> For the latter case, you might want to try EventGroup rule with
>> following parameters:
>>
>> type=EventGroup
>> ptype=regexp
>> pattern=ERROR.*User "(\S+)" attempted to authenticate
>> count=lcall %ret $1 -> ( sub { ++$ucounts{$_[0]}; } ); \
>> add USER_$1 $0
>> desc=User $1 attempted to authenticate
>> action=none
>> multact=yes
>> end=lcall %ret $1 -> ( sub { return delete $ucounts{$_[0]}; } ); \
>> report USER_$1 mail -s 'User $1 %ret events seen' root; \
>> delete USER_$1
>> window=20
>>
>> Note that with this ruleset, the counters are implemented not as SEC
>> variables, but as a Perl hash %ucounts. The 'multact' field of the rule
>> has to be set to yes which forces the event correlation window sliding,
>> until the last matching event is outside the window (in the case of this
>> example this means that 20 seconds have elapsed from the last activity
>> from a given user).
>>
>> kind regards,
>> risto
>>
>> On 03/29/2011 11:22 AM, Ludovic Hutin wrote:
>>> Hi again,
>>>
>>> After reading this documentation,
>>> http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
>>> It's said that variable are global. I would like to have a context variable.
>>>
>>> Doing something like that seems impossible : assign %count_$1 1
>>>
>>> The idea is to count the occurency of a pattern and send a report every
>>> x hours.
>>>
>>> type=single
>>> continue=takenext
>>> ptype=regexp
>>> pattern=ERROR.*User “(\S+)” attempted to authenticate
>>> context = !NB_APPARITION_$1
>>> desc=First appartion for user $1
>>> action= create NB_APPARITION_$1 0; assign %count 1
>>>
>>> type=single
>>> continue=takenext
>>> ptype=regexp
>>> pattern=ERROR.*User “(\S+)” attempted to authenticate
>>> context=NB_APPARITION_$1
>>> desc=%count apparition for user $1
>>> action=eval %count ( %count + 1) ; add NB_APPARITION_$1 0; set
>>> NB_APPARITION_$1 30 \
>>> (report NB_APPARITION_$1 /bin/echo 'Login : $1 Nb - connexion : %count'
>>> >> result.txt)
>>>
>>> Best Regards,
>>> Ludovic.
>>>
>>> Le 28/03/2011 16:42, Ludovic Hutin a écrit :
>>>> Hello,
>>>>
>>>> I am new with the extraordinary tools SEC
>>>> I would like to do a thinks like that, in my log file i got that
>>>>
>>>> ERROR User toto something wrong ...
>>>> ERROR User tita something wrong ...
>>>> ERROR User tutu something wrong ...
>>>> ERROR User tita something wrong ...
>>>> ERROR User toto something wrong ...
>>>> ERROR User tita something wrong ...
>>>>
>>>> I would like to count the number of occurency for each user and
>>>> send a report atfer X minute we don't see the occurency of the user.
>>>>
>>>> type=single
>>>> continue=takenext
>>>> ptype=regexp
>>>> pattern=ERROR.*User (\S+) something wrong
>>>> context = !NB_APPARITION_$1
>>>> desc=First apparition for user $1
>>>> action= create NB_APPARITION_$1 0; assign %nbapparition 1
>>>>
>>>> type=single
>>>> continue=takenext
>>>> ptype=regexp
>>>> pattern=ERROR.*User (\S+) something wrong
>>>> context=NB_APPARITION_$1
>>>> desc=%nbapparition error for user $1
>>>> action=eval %nbapparition ( %nbapparition + 1) ; add
>>>> NB_APPARITION_$1 $0; set NB_APPARITION_$1 1800 \
>>>> (report NB_APPARITION_$1 /bin/echo 'Login : $1 Nb - connexion :
>>>> %nbapparition'>> result.txt)
>>>>
>>>> I dunno what's wrong, if someone got an idea.
>>>>
>>>> Thanks in advance for helping.
>>>> Ludovic.
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Enable your software for Intel(R) Active Management Technology to meet the
>>>> growing manageability and security demands of your customers. Businesses
>>>> are taking advantage of Intel(R) vPro (TM) technology - will your software
>>>> be a part of the solution? Download the Intel(R) Manageability Checker
>>>> today! http://p.sf.net/sfu/intel-dev2devmar
>>>> _______________________________________________
>>>> Simple-evcorr-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>
>> ------------------------------------------------------------------------------
>> Enable your software for Intel(R) Active Management Technology to meet the
>> growing manageability and security demands of your customers. Businesses
>> are taking advantage of Intel(R) vPro (TM) technology - will your software
>> be a part of the solution? Download the Intel(R) Manageability Checker
>> today! http://p.sf.net/sfu/intel-dev2devmar
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> - - - - - - - - - - - - - - -
> Ludovic Hutin
> Pôle Supervision
> Académie de Nancy-Metz
>
>
> ------------------------------------------------------------------------------
> Enable your software for Intel(R) Active Management Technology to meet the
> growing manageability and security demands of your customers. Businesses
> are taking advantage of Intel(R) vPro (TM) technology - will your software
> be a part of the solution? Download the Intel(R) Manageability Checker
> today! http://p.sf.net/sfu/intel-dev2devmar
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software
be a part of the solution? Download the Intel(R) Manageability Checker
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
