Hello, I have a situation where I need to detect duplicated logins to a database. For example:
format of the messages (I simplified the format for readability): from_machine_1 | user_x | session_id | db_engine | OPEN:db_name example : host_a | userA | 1234 | engineX | OPEN:somedb host_a | userA | 8765 | engineX | OPEN:somedb host_b | userA | 3455 | engineX | OPEN:somedb These are all duplicated logins. The only static fields are the user and the db name. The problem is that I also need to correlate the end of the logins: host_a | userA | 1234 | engineX | CLOSE:somedb The correlation of the OPEN/CLOSE its easy using a context representing the open session. So when I get a OPEN message I create the context with all the fields and a window waiting for the CLOSE. When the CLOSE arrives within the window, I delete the context. The problem is the duplicates that could arrive in the meantime. I can create another context with only the user and the db name, representing a session from that user to the db, but I don't know when to delete this context, because the presence of a CLOSE, doesn't mean that all the duplicated sessions have ended. I did some hacks in the action with de main::context_list variable, adding all the OPEN's to the more general context (the one with only the user and db name) but I don't know if it is the best way because it won't work with the order of the messages that I send in attach. It will work on the first time, but when I send again the same messages, the first OPEN xpto.tmn.pt doesn't do anything. The rules, messages and output will go in attach. I will appreciate some help.
2011-12-30 16:51:43 2011-12-30 16:51:43 MACHINE1 A5_TST_3.a5_tst_3.6: ONLN|2011-12-30 16:51:42.175|xpto.tmn.pt|217387|a5_tst_3|sy913241|0:OPDB:nserv:0:- 2011-12-30 16:51:43 2011-12-30 16:51:43 MACHINE1 A5_TST_3.a5_tst_3.6: ONLN|2011-12-30 16:51:42.175|xpto2.tmn.pt|217385|a5_tst_3|sy913241|0:OPDB:nserv:0:- 2011-12-30 16:51:43 2011-12-30 16:51:43 MACHINE1 A5_TST_3.a5_tst_3.6: ONLN|2011-12-30 16:51:42.175|xpto2.tmn.pt|217386|a5_tst_3|sy913241|0:OPDB:nserv:0:- 2011-12-30 17:19:44 2011-12-30 17:19:44 MACHINE1 A5_TST_3.a5_tst_3.6: ONLN|2011-12-30 17:19:44.441|xpto2.tmn.pt|217386|a5_tst_3|sy913241|0:CLDB:nserv 2011-12-30 17:19:44 2011-12-30 17:19:44 MACHINE1 A5_TST_3.a5_tst_3.6: ONLN|2011-12-30 17:19:44.441|xpto.tmn.pt|217387|a5_tst_3|sy913241|0:CLDB:nserv 2011-12-30 17:19:44 2011-12-30 17:19:44 MACHINE1 A5_TST_3.a5_tst_3.6: ONLN|2011-12-30 17:19:44.441|xpto2.tmn.pt|217385|a5_tst_3|sy913241|0:CLDB:nserv
rule.sec
Description: Binary data
messages.log
Description: Binary data
------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
