hi Uwe, the problem you are seeing is caused by a side effect of Pair rule, but can easily be fixed by changing the 'pattern2' field just a bit. Let me explain why this happening. After you have submitted SEC the first 4 input lines, SEC has two event correlation operations running that have been started by the Pair rule. Here is an excerpt from the /tmp/sec.dump file which shows their status:
List of event correlation operations: ============================================================ Key: test-rieke.rules | 0 | error moncheck node itservice source subsource2 Operation started at: Thu Apr 7 14:46:25 2011 Correlation window begins at: Thu Apr 7 14:46:25 2011 Configuration file: test-rieke.rules Rule number: 1 Rule internal ID: 0 Type: Pair Pattern: regexp for 1 line(s): (?-xism:^(moncheck):(WARNING|MINOR|CRITICAL|FATAL):(\S+):(\S+):(\S+):(\S+):(.*)$) Context: Behavior after match: don't continue Description: error moncheck node itservice source subsource2 Action: shellcmd /home/xv18202/sec/print.sh 0=moncheck:WARNING:node:itservice:source:subsource2:message 1=moncheck 2=WARNING 3=node 4=itservice 5=source 6=subsource2 7=message; Pattern2: regexp for 1 line(s): (?-xism:^(moncheck):(OK):(\S+):(\S+):(\S+):(\S+):(.*)$) Context2: Behavior after match2: don't continue Description2: ok $1 $3 $4 $5 $6 Action2: shellcmd /home/xv18202/sec/print.sh clearing_0=$0 1=$1 2=$2 3=$3 4=$4 5=$5 6=$6 7=$7; Window: infinite ------------------------------------------------------------ Key: test-rieke.rules | 0 | error moncheck node itservice source subsource1 Operation started at: Thu Apr 7 14:45:50 2011 Correlation window begins at: Thu Apr 7 14:45:50 2011 Configuration file: test-rieke.rules Rule number: 1 Rule internal ID: 0 Type: Pair Pattern: regexp for 1 line(s): (?-xism:^(moncheck):(WARNING|MINOR|CRITICAL|FATAL):(\S+):(\S+):(\S+):(\S+):(.*)$) Context: Behavior after match: don't continue Description: error moncheck node itservice source subsource1 Action: shellcmd /home/xv18202/sec/print.sh 0=moncheck:WARNING:node:itservice:source:subsource1:message 1=moncheck 2=WARNING 3=node 4=itservice 5=source 6=subsource1 7=message; Pattern2: regexp for 1 line(s): (?-xism:^(moncheck):(OK):(\S+):(\S+):(\S+):(\S+):(.*)$) Context2: Behavior after match2: don't continue Description2: ok $1 $3 $4 $5 $6 Action2: shellcmd /home/xv18202/sec/print.sh clearing_0=$0 1=$1 2=$2 3=$3 4=$4 5=$5 6=$6 7=$7; Window: infinite ------------------------------------------------------------ Total: 2 elements When you are now submitting the first OK event, SEC will find that it will not match the 'pattern' field of the Pair rule. Now SEC will proceeds as follows -- *all* event correlation operations started by the Pair rule will be scanned, and if the dynamic regular expression 'pattern2' matches for an operation, second action will be executed and the operation terminates. Note that this will happen for *every* operation for which 'pattern2' matches! (I acknowledge that this was not documented well enough in previous released of SEC, and therefore I specifically fixed this issue in the man page of SEC-2.6). The problem is that for both operations which are running, the dynamic regular expression is the same: (?-xism:^(moncheck):(OK):(\S+):(\S+):(\S+):(\S+):(.*)$) Therefore, both operations will execute the second action and will terminate. Worse yet, this regular expression will match event from *any* source, subsource, etc., so even the OK-event from subsource3 would trigger an action. To fix this problem, you can rewrite the 'pattern2' field as follows: pattern2 = ^($1):(OK):($3):($4):($5):($6):(.*)$ Now each operation will match event *only* from the same node, itservice, source and subsource. Note that you can also omit parantheses around match variables, but in this case you must use %<num> match variables in the second half of the rule. hope this helps, risto On 04/07/2011 01:34 PM, uwe.ri...@ruv.de wrote: > Hello, > > can anybody help with my problem with the Pair rule? > > My logfile gets the following input from a monitoring script: > > moncheck:WARNING:node:itservice:source:subsource1:message > moncheck:WARNING:node:itservice:source:subsource2:message > > The events should be treated as equal for "action" and "action2", if slot > 1,3,4,5,6 are equal. > > In my example it is working for "action", that means > moncheck:WARNING:node:itservice:source:subsource1:message > moncheck:WARNING:node:itservice:source:subsource2:message > are 2 unique events > > but in "action2" all events are cleared if only 1 event should be cleared, > that means > moncheck:OK:node:itservice:source:subsource1:message > should only clear the event: > moncheck:WARNING:node:itservice:source:subsource1:message > but the event > moncheck:WARNING:node:itservice:source:subsource2:message > is also cleared. > > How do I need to set it up that this is working for "action" and "action2" ? > > > Here is my setup: > > Rulefile moncheck.conf > __________________________________ > type=Pair > ptype=regexp > pattern = > ^(moncheck):(WARNING|MINOR|CRITICAL|FATAL):(\S+):(\S+):(\S+):(\S+):(.*)$ > desc=error $1 $3 $4 $5 $6 > action=shellcmd /home/xv18202/sec/print.sh 0=$0 1=$1 2=$2 3=$3 4=$4 5=$5 6=$6 > 7=$7 > ptype2=regexp > pattern2 = ^($1):(OK):(\S+):(\S+):(\S+):(\S+):(.*)$ > desc2=ok $1 $3 $4 $5 $6 > action2=shellcmd /home/xv18202/sec/print.sh clearing_0=$0 1=$1 2=$2 3=$3 > 4=$4 5=$5 6=$6 7=$7 > > # print.sh is just for printing and checking the variables > # $1=monitor > # $2=severity > # $3=node > # $4=itservice > # $5=source > # $6=subsource > # $7=message > __________________________________ > > Testscenario: > > 1. echo "moncheck:WARNING:node:itservice:source:subsource1:message">> tt > > result: action is triggered as expected, > > 2. echo "moncheck:WARNING:node:itservice:source:subsource1:message">> tt > > result: no action as expected > > 3. echo "moncheck:WARNING:node:itservice:source:subsource2:message">> tt > > result: action is triggered as expected > > 4. echo "moncheck:WARNING:node:itservice:source:subsource2:message">> tt > > result: no action as expected > > 5. echo "moncheck:OK:node:itservice:source:subsource1:message">> tt > > result: action2 is triggered twice for "subsource1" > expected: action2 only once for "subsource1" > > 6. echo "moncheck:WARNING:node:itservice:source:subsource1:message">> tt > > result: action is triggered as expected > > 7. echo "moncheck:WARNING:node:itservice:source:subsource2:message">> tt > > result: action is triggered for "subsource2" > expected: no action is triggered bacause "subsource2" has not been cleared > > > running sec.pl > _______________________________________________________________________ > > /usr/local/eventscripts/sec.pl -conf=/home/xv18202/sec/moncheck.conf -input=tt > SEC (Simple Event Correlator) 2.5.3 > Reading configuration from /home/xv18202/sec/moncheck.conf > 1 rules loaded from /home/xv18202/sec/moncheck.conf > Stdin connected to terminal, SIGINT can't be used for changing the logging > level > > ___ 1.___ > > Executing shell command '/home/xv18202/sec/print.sh > 0=moncheck:WARNING:node:itservice:source:subsource1:message 1=moncheck > 2=WARNING 3=node 4=itservice 5=source 6=subsource1 7=message' > Child 26317 created for command '/home/xv18202/sec/print.sh > 0=moncheck:WARNING:node:itservice:source:subsource1:message 1=moncheck > 2=WARNING 3=node 4=itservice 5=source 6=subsource1 7=message' > 0=moncheck:WARNING:node:itservice:source:subsource1:message 1=moncheck > 2=WARNING 3=node 4=itservice 5=source 6=subsource1 7=message > > ___ 3. ___ > > Executing shell command '/home/xv18202/sec/print.sh > 0=moncheck:WARNING:node:itservice:source:subsource2:message 1=moncheck > 2=WARNING 3=node 4=itservice 5=source 6=subsource2 7=message' > Child 12261 created for command '/home/xv18202/sec/print.sh > 0=moncheck:WARNING:node:itservice:source:subsource2:message 1=moncheck > 2=WARNING 3=node 4=itservice 5=source 6=subsource2 7=message' > 0=moncheck:WARNING:node:itservice:source:subsource2:message 1=moncheck > 2=WARNING 3=node 4=itservice 5=source 6=subsource2 7=message > > ___ 5. ___ > > Executing shell command '/home/xv18202/sec/print.sh > clearing_0=moncheck:OK:node:itservice:source:subsource1:message 1=moncheck > 2=OK 3=node 4=itservice 5=source 6=subsource1 7=message' > Child 13977 created for command '/home/xv18202/sec/print.sh > clearing_0=moncheck:OK:node:itservice:source:subsource1:message 1=moncheck > 2=OK 3=node 4=itservice 5=source 6=subsource1 7=message' > Executing shell command '/home/xv18202/sec/print.sh > clearing_0=moncheck:OK:node:itservice:source:subsource1:message 1=moncheck > 2=OK 3=node 4=itservice 5=source 6=subsource1 7=message' > Child 13978 created for command '/home/xv18202/sec/print.sh > clearing_0=moncheck:OK:node:itservice:source:subsource1:message 1=moncheck > 2=OK 3=node 4=itservice 5=source 6=subsource1 7=message' > clearing_0=moncheck:OK:node:itservice:source:subsource1:message 1=moncheck > 2=OK 3=node 4=itservice 5=source 6=subsource1 7=message > clearing_0=moncheck:OK:node:itservice:source:subsource1:message 1=moncheck > 2=OK 3=node 4=itservice 5=source 6=subsource1 7=message > > ___ 6. ___ > > Executing shell command '/home/xv18202/sec/print.sh > 0=moncheck:WARNING:node:itservice:source:subsource1:message 1=moncheck > 2=WARNING 3=node 4=itservice 5=source 6=subsource1 7=message' > Child 14431 created for command '/home/xv18202/sec/print.sh > 0=moncheck:WARNING:node:itservice:source:subsource1:message 1=moncheck > 2=WARNING 3=node 4=itservice 5=source 6=subsource1 7=message' > 0=moncheck:WARNING:node:itservice:source:subsource1:message 1=moncheck > 2=WARNING 3=node 4=itservice 5=source 6=subsource1 7=message > > ___ 7. ___ > > Executing shell command '/home/xv18202/sec/print.sh > 0=moncheck:WARNING:node:itservice:source:subsource2:message 1=moncheck > 2=WARNING 3=node 4=itservice 5=source 6=subsource2 7=message' > Child 14202 created for command '/home/xv18202/sec/print.sh > 0=moncheck:WARNING:node:itservice:source:subsource2:message 1=moncheck > 2=WARNING 3=node 4=itservice 5=source 6=subsource2 7=message' > 0=moncheck:WARNING:node:itservice:source:subsource2:message 1=moncheck > 2=WARNING 3=node 4=itservice 5=source 6=subsource2 7=message > > Thanks and regards > Uwe Rieke > R+V Allgemeine Versicherung AG > ZIAIBSUS > Raiffeisenplatz 1, Raum B128 > 65189 Wiesbaden > Telefon: 0611 533-2515 > Telefax: 0611 533-772515 > Email: uwe.ri...@ruv.de > Internet: www.ruv.de<http://www.ruv.de/> > > R+V Allgemeine Versicherung AG, Raiffeisenplatz 1, 65189 Wiesbaden > Vorsitzender des Aufsichtsrats: Generaldirektor Dr. Friedrich Caspers, > Vorstand: Dr. Norbert Rollinger, Vorsitzender; > Frank-Henning Florian, Heinz-Jürgen Kallerhoff, Hans-Christian Marschler, > Rainer Neumann, Peter Weiler. > Sitz: Wiesbaden, Handelsregister Nr. HRB 2188, Amtsgericht Wiesbaden, > USt-IdNr. DE 811198334 > > P Bitte drucken Sie nur, was Sie wirklich brauchen. > > > > ------------------------------------------------------------------------------ > Xperia(TM) PLAY > It's a major breakthrough. An authentic gaming > smartphone on the nation's most reliable network. > And it wants your games. > http://p.sf.net/sfu/verizon-sfdev > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users