Hi all,
The solution work, so it's enough for us. Add another tool for
"transforming" the log is not the best idea (i think)
It's impossible for us to configure the tool to write in syslog. I
think we have to best solution.
Another question, we would like to add a calendar for some rules
Example :
One traitement on work hour 'like 7AM to 8PM'
Another traitement on unworking hour like 8PM to 7AM and all
the saturday / sunday
rules are not optimize, it's the next step ;-)
# I would like to execute this rules only on work hour like 7AM to 8PM
type=EventGroup
continue=TakeNext
ptype=perlfunc
pattern=sub { if ( $_[0] =~
/ERROR,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)/
) { \
return ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,
lc($13)); } else { return 0;} }
count=lcall %ret $13 -> ( sub { ++$ucounts3{$_[0]}; } ); \
write result/$13.login %t $8 ; \
add USER3_$13 $0
desc=User $13 appear
action=pipe 'envoiMail' /root/sendMail3.pl $13 ;
multact=no
end=lcall %ret $13 -> ( sub { return delete $ucounts3{$_[0]}; } ); \
delete USER3_$13
window=3600
thresh=10
# I would like to execute this rules only on non working hour like 8PM
to 7AM and all the saturday / sunday
type=EventGroup
continue=TakeNext
ptype=perlfunc
pattern=sub { if ( $_[0] =~
/ERROR,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)/
) { \
return ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,
lc($13)); } else { return 0;} }
count=lcall %ret $13 -> ( sub { ++$ucounts3{$_[0]}; } ); \
write result/$13.login %t $8 ; \
add USER3_$13 $0
desc=User $13 appear
action=pipe 'envoiMail' /root/sendMail3.pl $13 ;
multact=no
end=lcall %ret $13 -> ( sub { return delete $ucounts3{$_[0]}; } ); \
delete USER3_$13
window=3600
thresh=3
What is the best way to do that is to that ?
Create a context for each calendar and add the context into the
EventGroup rules ?
Thanks a lot
Ludovic.
Le 20/06/2011 15:27, John P. Rouillard a écrit :
> In message<[email protected]>,
> Ludovic Hutin writes:
>
>> Le 17/06/2011 15:49, John P. Rouillard a écrit :
>>> In message<[email protected]>,
>>> Ludovic Hutin writes:
>>>> I am back again, with another question, it's possible to set the
>>>> context param to be case insensitive ?
>>>> In my first log, username come in lowercase, and into other log
>>>> they come with some uppercase
>>>>
>>>> context=USER_$13 with $13 in the first logs is "toto" and in the
>>>> second log is "TOTO"
>>>> The result is simple, impossible to correlate the 2 entry :-(
>>> The only thing that comes to mind immediately is to use a perlfunc for
>>> the pattern and modify the case of the username. Something like:
>>>
>>> ptype = perlfunc
>>> patterm = sub { if ( $_[0] =~ /(your) pattern with (NAME) (here)/ ) { \
>>> return ($1, lc($2), $3); } else { return 0;} }
>>> context = name_$2
>> I can say this solution works perfect. But now, i got a not easy
>> configuration file ;)
> Yes, you will definitely want to document what this rule does and why
> it is needed. I am guessing the systems you are working with use case
> insensitive usernames so TOTO and toto are both the same user. So it
> is a bit of a tricky correlation issue as well.
>
> Also for other seeing this thread in the mailing list, one other way
> of handling it would have been to preprocess one of your logs using
> something like sed or perl to convert your uppercase names to
> lowercase (or the lowercase to uppercase). But this moves some of the
> complexity outside of SEC which may or may not be desirable.
>
> --
> -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
