2011/6/14 Ludovic Hutin <[email protected]>: > Hi, > > I need help (again)... > > I got many entry like PATTERN1(time) PATTERN2(username) PATTERN3(ip) > I want to log in a file unique ip of a user with a timeout of 10mn > > 12h20 USERA 10.10.10.10 => this entry have to be log. (with a > action=write directive) > 12h21 USERA 10.10.10.10 => This one is no need (counter is > reset to 10mn) > 12h25 USERA 10.10.10.10 => This one is no need (counter is > reset to 10mn) > 12h46 USERA 10.10.10.10 => Timeout of 10mn exceed, we log again > > And for more fun, i have many many user > > What is the best way to do that ?
Try SingleWithSuppress rule with a window of 600 seconds, for example: type=SingleWithSuppress ptype=RegExp pattern=(\S+) ([\d.]+) desc=User $1 logged in from $2 action=write - %s window=600 Note that this rule will suppress repeated messages for the same user AND the same IP for 10 minutes. If you would like to suppress repeated messages for the same user name, regardless of the address, remove the $2 variable from the 'desc' field, e.g., desc=User $1 login (The man page section http://simple-evcorr.sourceforge.net/man.html#EVENT%20CORRELATION%20OPERATIONS contains a detailed discussion how the 'desc' field of a rule influences the scope of event correlation.) HTH, risto > > After that, i want to correlate with an existing EventGroup, but > it's an other story ;) > > Best regards, > Ludovic. > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
