On 09/05/2013 09:45 PM, John P. Rouillard wrote: > > Hi all: > > It looks like I have a reason to use the rewrite rule to normalize > some data. From reading the man page, I think this should work: > > type=single > ptype=regexp > pattern= ^([^[]*): (\[[0-9]\]:.*)$ > desc = normalize 'process: [pid]:' into 'process[pid]:' > action = rewrite 1 $1$2 > continue=takenext > > type = single > desc = this rule should see the normalized event in the rewritten buffer > ... > > Is this correct?
yes, since 'rewrite' changes the input buffer immediately, without postponing the modification to the end of processing iteration. > >>From this it looks like: > > I must have continue set to TakeNext/GoTo otherwise the handling of the > event ends and new event is pushed on the front of the buffer. This is true if you have one rule file only. However, in the case of several files the result depends on the order of rule file matching against input. For example, if you have created several rulesets with Options rules, and you have a Jump rule type=Jump ... cfset=setA setB setC with setA containing the 'rewrite' rule, rules of setB and setC will see the modified input buffer, regardless of 'continue' parameter of the 'rewrite' rule. > > If so that is a useful thing to mention in the decription of the > rewrite action. Since it allows the effect of the action to take > effect the same processing cycle. Unlike the event action where the > new event is processed on the next cycle through the loop. > > Also I assume that the following rules in the processing loop will see > the rewritten event in the updated buffer. Is that correct?Or is > rewrite only useful for rewriting the event buffer for future > multi-line correlation rules? rewrite is useful for both scenarios, since the modifications are done immediately. Thus, it allows the rules to match the changed data during the same iteration, but the multiline matching is equally affected. However, the actual effect on multiline matching depends heavily on the --nojointbuf option. Without this option, one buffer is used for all inputs which allows for multiline matching against events from different sources. However, since the order of events from regular sources can often not be reliably predicted, this option mostly makes sense when SEC is run with one input source, or for matching multiline combinations of regular and synthetic events. With the --nojointbuf option, input sources and synthetic events get separate input buffers, and multiline matching is done strictly for one source only. This implies that if 'rewrite' is used to reformat events for multiline matching, the results of 'rewrite' could become useful not during the next processing loop, but much later (if at all). For example, if you modify the last line in an input buffer of some source, and have a Regexp2 pattern which expects the modified data to appear in the line before the last one, the pattern can only match if a new line gets pushed into the buffer of this particular source. If this line never appears, there will be no match, even though large amounts of data can be received from other input sources. hope this helped to clarify rewrite action a bit, risto > > It seems this was described on the mailing list during the development > of the action, but my google fu isn't being helpful here. > > Thanks. > -- > -- rouilj > John Rouillard > =========================================================================== > My employers don't acknowledge my existence much less my opinions. > > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > ------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
