Hi all,
We using sec for some correlation log with this configuration :
type=EventGroup
ptype=regexp
pattern=ERROR,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),(PATTERN_A|PATTERN_B|PATTERN_C|PATTERN_D|PATTERN_E|PATTERN_F|PATTERN_G|PATTERN_H[^,]*|PATTERN_I),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)
count=lcall %ret $13 -> ( sub { ++$ucounts{$_[0]}; } ); \
write /logs/result/$13.login %t $8 ; \
add USER_$13 $0
desc=User $13 appear
action=pipe 'sendMail' /root/sendMail.pl $13 ;
multact=yes
end=lcall %ret $13 -> ( sub { return delete $ucounts{$_[0]}; } ); \
report USER_$13 /bin/echo %t $13 %ret >> /logs/result.txt; \
delete USER_$13
window=1800
thresh=4
It's work perfect, and we got some email when a user generate 4 entry
during 30mn.
First question :
Il got some interrogation about the first %t value in the count
directive, when i look my file, i always see the same time
Exemple :
...
Fri Jun 10 10:08:37 2011 PATTERN_A
Fri Jun 10 10:08:37 2011 PATTERN_A
Fri Jun 10 10:08:37 2011 PATTERN_A
Fri Jun 10 10:08:49 2011 PATTERN_A
Fri Jun 10 10:08:49 2011 PATTERN_A
Fri Jun 10 10:08:49 2011 PATTERN_A
...
The events don't come at the same time in the source log file.
it's normal that the time is change ? i do something wrong ?
Second question :
If a 5,6,7... event appear for the same user during the 30mn, i receive
a second, third, four.. mail.
I would like to receive only one mail during the window time. It's
possible with the EventGroup Rules ?
I hope my english is not to bad ;)
Ludovic.
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
