On 06/21/2011 12:01 PM, Ludovic Hutin wrote:
> Hi all,
>
> The solution work, so it's enough for us. Add another tool for
> "transforming" the log is not the best idea (i think)
> It's impossible for us to configure the tool to write in syslog. I
> think we have to best solution.
>
> Another question, we would like to add a calendar for some rules
> Example :
> One traitement on work hour 'like 7AM to 8PM'
> Another traitement on unworking hour like 8PM to 7AM and all
> the saturday / sunday
>
> rules are not optimize, it's the next step ;-)
> # I would like to execute this rules only on work hour like 7AM to 8PM
> type=EventGroup
> continue=TakeNext
> ptype=perlfunc
> pattern=sub { if ( $_[0] =~
> /ERROR,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)/
> ) { \
> return ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,
> lc($13)); } else { return 0;} }
> count=lcall %ret $13 -> ( sub { ++$ucounts3{$_[0]}; } ); \
> write result/$13.login %t $8 ; \
> add USER3_$13 $0
> desc=User $13 appear
> action=pipe 'envoiMail' /root/sendMail3.pl $13 ;
> multact=no
> end=lcall %ret $13 -> ( sub { return delete $ucounts3{$_[0]}; } ); \
> delete USER3_$13
> window=3600
> thresh=10
>
>
> # I would like to execute this rules only on non working hour like 8PM
> to 7AM and all the saturday / sunday
> type=EventGroup
> continue=TakeNext
> ptype=perlfunc
> pattern=sub { if ( $_[0] =~
> /ERROR,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)/
> ) { \
> return ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,
> lc($13)); } else { return 0;} }
> count=lcall %ret $13 -> ( sub { ++$ucounts3{$_[0]}; } ); \
> write result/$13.login %t $8 ; \
> add USER3_$13 $0
> desc=User $13 appear
> action=pipe 'envoiMail' /root/sendMail3.pl $13 ;
> multact=no
> end=lcall %ret $13 -> ( sub { return delete $ucounts3{$_[0]}; } ); \
> delete USER3_$13
> window=3600
> thresh=3
>
> What is the best way to do that is to that ?
>
> Create a context for each calendar and add the context into the
> EventGroup rules ?
I'd say the best way is indeed to create a context from Calendar rule.
There is one caveat, though -- if you create a context at a specific
time only for N hours, it will not be recreated if SEC is restarted
during this N hour window.
However, there is one fairly simple workaround:
type=Calendar
time=* 8-9 * * *
desc=create MYCONTEXT for 8AM-10AM
action=create MYCONTEXT 60
This rule will create the context MYCONTEXT (with a lifetime of 1
minute) each minute from 8.00 to 9.59. Note that when SEC is restarted
(or gets SIGHUP signal) between these times, the Calendar rule recreates
MYCONTEXT.
If you don't want to have a gap between SEC restart and recreation of
the context (with default settings it is 1 second), you can also call
Perl's time() function from the rule's context expression and check the
return value.
best regards,
risto
>
> Thanks a lot
>
> Ludovic.
>
>
> Le 20/06/2011 15:27, John P. Rouillard a écrit :
>> In message<[email protected]>,
>> Ludovic Hutin writes:
>>
>>> Le 17/06/2011 15:49, John P. Rouillard a écrit :
>>>> In message<[email protected]>,
>>>> Ludovic Hutin writes:
>>>>> I am back again, with another question, it's possible to set the
>>>>> context param to be case insensitive ?
>>>>> In my first log, username come in lowercase, and into other log
>>>>> they come with some uppercase
>>>>>
>>>>> context=USER_$13 with $13 in the first logs is "toto" and in the
>>>>> second log is "TOTO"
>>>>> The result is simple, impossible to correlate the 2 entry :-(
>>>> The only thing that comes to mind immediately is to use a perlfunc for
>>>> the pattern and modify the case of the username. Something like:
>>>>
>>>> ptype = perlfunc
>>>> patterm = sub { if ( $_[0] =~ /(your) pattern with (NAME) (here)/ ) {
>>>> \
>>>> return ($1, lc($2), $3); } else { return 0;} }
>>>> context = name_$2
>>> I can say this solution works perfect. But now, i got a not easy
>>> configuration file ;)
>> Yes, you will definitely want to document what this rule does and why
>> it is needed. I am guessing the systems you are working with use case
>> insensitive usernames so TOTO and toto are both the same user. So it
>> is a bit of a tricky correlation issue as well.
>>
>> Also for other seeing this thread in the mailing list, one other way
>> of handling it would have been to preprocess one of your logs using
>> something like sed or perl to convert your uppercase names to
>> lowercase (or the lowercase to uppercase). But this moves some of the
>> complexity outside of SEC which may or may not be desirable.
>>
>> --
>> -- rouilj
>> John Rouillard
>> ===========================================================================
>> My employers don't acknowledge my existence much less my opinions.
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
