hi Tom,
in order to illustrate the concept, let me provide the following
SingleWithSuppress rule as an example:
type=SingleWithSuppress
ptype=RegExp
pattern=this is a test message
desc=Reacting to test message from $+{_inputsrc} and suppressing
action=write - $0
window=60
In a nutshell, this rule will react to a message "this is a test
message" and start an event correlation operation with a lifetime of 60
seconds. The operation will write the whole matching line to standard
output, and will then suppress further matching messages for 60 seconds.
However, it is important to note that the ID of the operation is created
from the 'desc' field (plus the rule file name and the rule number
inside the file, as explained in
http://simple-evcorr.sourceforge.net/man.html#lbAW). Since in our case
the 'desc' field contains the $+{_inputsrc} match variable which holds
the input file name, the repeated message suppression is done for
individual files separately.
For example, if you see the following messages in input files log1 and log2:
12:01:01 this is a test message (from log1)
12:01:23 this is a test message (from log1)
12:01:51 this is a test message (from log2)
12:01:56 this is a test message (from log1)
12:02:05 this is a test message (from log2)
12:02:13 this is a test message (from log1)
then the first, third and sixth line will be echoed to standard output,
while the second, fourth and fifth line will be suppressed. Also, these
six lines are correlated by two different event correlation operations.
Hope I was able to explain the concept.
kind regards,
risto
On 06/18/2013 06:03 PM, Tom De Dobbeleer wrote:
> Hi all,
>
> I posted the following question on stackoverflow:
> http://stackoverflow.com/questions/16921271/sec-simple-event-correlator-handle-multiple-log-files
> (too long to post here)
>
> It comes down to this: I need Sec to process multiple log files
> separately. Otherwise I cannot use suppress when the same error occurs
> in multiple log files!
>
> Risto wrote that it was possible:
>
> /“SEC supports matching events coming from particular sources via file
> contexts. File context is a logical identifier for one or several files
> which can be used in SEC rules for restricting the scope of matching.
> File contexts can be set up with the --intcontexts command line option./
>
> /If you would like to retrieve the input log file name after a regular
> expression match, there is a special match variable $+{_inputsrc} which
> is automatically set by SEC, and can be used alongside with $1, $2 and
> other regular match variables./
>
> /Also, you are welcome to post your question to the SEC mailing list
> where most of the user discussion is taking place. The list is also most
> likely to provide you with a quick answer./
>
> /kind regards, risto”/
>
> Can someone provide a simple example of this?
>
> For example: I have two log files (log1, log2) and I want to process
> them for the same error (error) with suppress. How can I make sure the
> second error is not suppressed?
>
> Kind regards,
>
> Tom
>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
>
>
>
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
