On Fri, 28 Jun 2013, Boyles, Gary P wrote:
Hi All,
I have a request for a rule-set that does the following:
1. An event comes in with "node" in $2, class NFS_IS_Slow in ($4), severity
in ($5), and source in ($10).
2. The request is for an event of this class ($4) from node ($2) to change the
severity ($5) from CRITICAL to HARMLESS.
3. This is fairly easy to do... with the following rule:
type=Single
continue=DontCont
ptype=perlFunc
pattern=sub { my (@parseStr) = split/ :: /, $_[0]; return (@parseStr); }
context=!(NFS_STOP::$2::$10) && ($4 $5) -> (sub { my $class = $_[0]; my
$severity = $_[1]; \
if ($class =~ /nfs_slow/i && $severity eq "CRITICAL") { return 1; } else {
return 0; } } )
desc=NFS_Slow_To_HARMLESS::$2::$10
action=write %SEC_HOME/log/EC.main.log %u %s ;
\
event $1 :: $2 :: $3 :: $4 :: HARMLESS :: $6 :: $7 :: $8 :: $9 :: $10
:: $11 :: $12 :: $13 :: $14
More Info:
I have a request to keep the severity of CRITICAL - if the "source" ($10) is
different for two events.
Question:
Is there an easy way to set the context "NFS_STOP::$2::$10" if the source ($10)
changes?
I've got perl-code that sets this in a rule, and this rule is placed before the
one above,
but I was looking for a simple way to evaluate a previous event/context and set
the context
below without using a lot of perl code.
Summary:
1. I use the rule above to change/replace the severity from CRITICAL to
HARMLESS.
2. But I also need to NOT do that (i.e. deactivate the rule) if $10 is
different for two events.
the context can be any string you want, so you can include $10 in the context.
Now, the first problem I have is that you want to do something if $10 is
different for two events, but two events over what timeframe?
over the entire time that SEC is running?
does the quantity and order of alerts matter? What if you get 10 events from
one, and 1 event from a second?, what if you get 1 event from one and 10 events
from a second?
You may very well want to have multiple rules processing the same log line
(takenext=continue) so that you can do different things with the log messages,
but more info is needed to create the specific rules.
David Lang
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
