hi Thomas, these error messages are actually not caused by the rule below, but rather by other rules which employ the %n variable.
When SEC loads its rules, all paths to external programs are checked and if the program is not found, a warning message is logged. In your case, you have of course specified the full path, thus finding the program would not be an issue. But unfortunately the assignment to %n variable happens at run time, after rules have already been loaded. Therefore, when a SEC loads a rule, it is impossible to verify if %n will contain a valid program name at run time. For this reason, SEC logs this warning (the warning is also logged for programs not given with full paths and not found relative from the current directory, even if they are later successfully found due to proper settings of the PATH environment variable). In the past, some people have argued against this message, while it was originally introduced at the request of other users. If this warning is annoying for the majority of the users, it is not a problem for me to remove it from the code. kind regards, risto On 09/30/2011 12:12 PM, Thomas Wollner wrote: > Hello List, > > I have the following SEC rule: > > type=single > desc=input facts file > ptype=regexp > continue=TakeNext > pattern=^SEC_STARTUP$|^SEC_RESTART$|^SEC_SOFTRESTART$ > action=assign %n /opt/sec/tools/mytool.sh; \ > > > upon starting or reloading the SEC process I receive the following > warning message in my sec.log > > sec.pl[20304]: Rule in /opt/sec/rules/cisco.rule at line 887: > Warning - could not find '%%n' > > I receive the warning message foreach use of the assigned %n. > > Everything works as expected, but the warning messages appear every > time I reload or restart my SEC process. > > I`m using sec 2.6.1 on debian 6.0 (amd64) with perl 5.10.1. > > Any ideas? > > Thank you in advance, > > Best regards, > > Tom > > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2dcopy2 > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
