Hi,
I add this rules in my configuration file. Thanks for the powerfull
doc !
I hope this night it's should be working ;-)
type=Calendar
time=* 6-20 * * 1,2,3,4,5
desc=BUSINESS_HOURS
context=!BUSINESS_HOURS
action=create %s;\
write - Switched to Business Hours;\
delete OFF_HOURS;
type=Calendar
time=* 0-5,21-23 * * *
context=!OFF_HOURS
desc=OFF_HOURS
action=create %s;\
write - Switched to Off Hours;\
delete BUSINESS_HOURS;
type=Calendar
time=* * * * 6,7
context=!OFF_HOURS
desc=OFF_HOURS
action=create %s;\
write - Switched to Off Hours;\
delete BUSINESS_HOURS;
Thanks a lot,
Ludovic.
Le 21/06/2011 17:08, Risto Vaarandi a écrit :
> On 06/21/2011 12:01 PM, Ludovic Hutin wrote:
>> Hi all,
>>
>> The solution work, so it's enough for us. Add another tool for
>> "transforming" the log is not the best idea (i think)
>> It's impossible for us to configure the tool to write in syslog. I
>> think we have to best solution.
>>
>> Another question, we would like to add a calendar for some rules
>> Example :
>> One traitement on work hour 'like 7AM to 8PM'
>> Another traitement on unworking hour like 8PM to 7AM and all
>> the saturday / sunday
>>
>> rules are not optimize, it's the next step ;-)
>> # I would like to execute this rules only on work hour like 7AM to 8PM
>> type=EventGroup
>> continue=TakeNext
>> ptype=perlfunc
>> pattern=sub { if ( $_[0] =~
>> /ERROR,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)/
>> ) { \
>> return ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,
>> lc($13)); } else { return 0;} }
>> count=lcall %ret $13 -> ( sub { ++$ucounts3{$_[0]}; } ); \
>> write result/$13.login %t $8 ; \
>> add USER3_$13 $0
>> desc=User $13 appear
>> action=pipe 'envoiMail' /root/sendMail3.pl $13 ;
>> multact=no
>> end=lcall %ret $13 -> ( sub { return delete $ucounts3{$_[0]}; } ); \
>> delete USER3_$13
>> window=3600
>> thresh=10
>>
>>
>> # I would like to execute this rules only on non working hour like 8PM
>> to 7AM and all the saturday / sunday
>> type=EventGroup
>> continue=TakeNext
>> ptype=perlfunc
>> pattern=sub { if ( $_[0] =~
>> /ERROR,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*)/
>> ) { \
>> return ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,
>> lc($13)); } else { return 0;} }
>> count=lcall %ret $13 -> ( sub { ++$ucounts3{$_[0]}; } ); \
>> write result/$13.login %t $8 ; \
>> add USER3_$13 $0
>> desc=User $13 appear
>> action=pipe 'envoiMail' /root/sendMail3.pl $13 ;
>> multact=no
>> end=lcall %ret $13 -> ( sub { return delete $ucounts3{$_[0]}; } ); \
>> delete USER3_$13
>> window=3600
>> thresh=3
>>
>> What is the best way to do that is to that ?
>>
>> Create a context for each calendar and add the context into the
>> EventGroup rules ?
> I'd say the best way is indeed to create a context from Calendar rule.
> There is one caveat, though -- if you create a context at a specific
> time only for N hours, it will not be recreated if SEC is restarted
> during this N hour window.
>
> However, there is one fairly simple workaround:
>
> type=Calendar
> time=* 8-9 * * *
> desc=create MYCONTEXT for 8AM-10AM
> action=create MYCONTEXT 60
>
> This rule will create the context MYCONTEXT (with a lifetime of 1
> minute) each minute from 8.00 to 9.59. Note that when SEC is restarted
> (or gets SIGHUP signal) between these times, the Calendar rule recreates
> MYCONTEXT.
>
> If you don't want to have a gap between SEC restart and recreation of
> the context (with default settings it is 1 second), you can also call
> Perl's time() function from the rule's context expression and check the
> return value.
>
> best regards,
> risto
>
>> Thanks a lot
>>
>> Ludovic.
>>
>>
>> Le 20/06/2011 15:27, John P. Rouillard a écrit :
>>> In message<[email protected]>,
>>> Ludovic Hutin writes:
>>>
>>>> Le 17/06/2011 15:49, John P. Rouillard a écrit :
>>>>> In message<[email protected]>,
>>>>> Ludovic Hutin writes:
>>>>>> I am back again, with another question, it's possible to set the
>>>>>> context param to be case insensitive ?
>>>>>> In my first log, username come in lowercase, and into other log
>>>>>> they come with some uppercase
>>>>>>
>>>>>> context=USER_$13 with $13 in the first logs is "toto" and in the
>>>>>> second log is "TOTO"
>>>>>> The result is simple, impossible to correlate the 2 entry :-(
>>>>> The only thing that comes to mind immediately is to use a perlfunc for
>>>>> the pattern and modify the case of the username. Something like:
>>>>>
>>>>> ptype = perlfunc
>>>>> patterm = sub { if ( $_[0] =~ /(your) pattern with (NAME) (here)/ )
>>>>> { \
>>>>> return ($1, lc($2), $3); } else { return 0;} }
>>>>> context = name_$2
>>>> I can say this solution works perfect. But now, i got a not easy
>>>> configuration file ;)
>>> Yes, you will definitely want to document what this rule does and why
>>> it is needed. I am guessing the systems you are working with use case
>>> insensitive usernames so TOTO and toto are both the same user. So it
>>> is a bit of a tricky correlation issue as well.
>>>
>>> Also for other seeing this thread in the mailing list, one other way
>>> of handling it would have been to preprocess one of your logs using
>>> something like sed or perl to convert your uppercase names to
>>> lowercase (or the lowercase to uppercase). But this moves some of the
>>> complexity outside of SEC which may or may not be desirable.
>>>
>>> --
>>> -- rouilj
>>> John Rouillard
>>> ===========================================================================
>>> My employers don't acknowledge my existence much less my opinions.
>> ------------------------------------------------------------------------------
>> EditLive Enterprise is the world's most technically advanced content
>> authoring tool. Experience the power of Track Changes, Inline Image
>> Editing and ensure content is compliant with Accessibility Checking.
>> http://p.sf.net/sfu/ephox-dev2dev
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Data protection magic?
Nope - It's vRanger. Get your free trial download today.
http://p.sf.net/sfu/quest-sfdev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
