hi Mark,
maybe I am wrong here, but can't the quoting problem be handled with the
lcall action?
For example, lcall %o $+{Message} -> ( sub { ... } )
would pass $+{Message} as a string into a precompiled function where it can
be retrieved from $_[0]. Of course, using eval %o ( $+{Message} ) would
indeed introduce a quoting problem, since $+{Message} would be substituted
into an uncompiled code.
I agree of course that accessing $+{Message} from varmap is fastest,
because $+{Message} does not need substitution into the function parameter
list.
kind regards,
risto
2013/9/23 Mark D. Nagel <[email protected]>
> I thought there must be a way to do this safely without digging into the
> innards of SEC, but it seems I have no solution other than that --
> hoping someone can guide me back to a non-innards method. The problem
> is this -- how do you take a pattern match and feed that into Perl code
> (via eval or call/lcall) with quoting guaranteed not to be disrupted by
> presence of quoting characters within the string. In my particular
> case, I have used the JSON flatten method to produce a hash from Windows
> event log data (sent by nxlog-ce), and have stored in the WINDOWS
> varmap. For my catchall rules, I want to count how many times I have
> seen a particular string in the Message field per event source. That
> field has unknown data, so you need to safely quote it, but more
> ideally, the value is already in a Perl variable within SEC -- why not
> bypass quoting and just reference that in the counting code? I just
> can't see how to pass the variable to the code -- I thought perhaps with
> lcall, but not really since I would have to quote the string still. So
> I am left with referencing %main::pmatch_cache{WINDOWS} within the code
> to access the values without worrying about quoting issues. Am I
> missing something, or is this an OK thing to be doing? You can do what
> I am talking about within the context evaluation (via the :> operator),
> just not within eval/lcall/call from what I can see.
>
> For reference, this is what I am doing (development still in progress,
> so there could be other issues) -- the problem is with the second rule
> that injects the data into the %WINDOWS_WARNING hash using
> q($+{Message}). I can find better quoting methods, like using \001 as
> the quote character, but I sometimes have seen issues with that (e.g.,
> unicode), so avoiding quoting entirely is preferred.
>
> type=Single
> ptype=Cached
> pattern=WINDOWS
> context=!WINDOWS_WARNING_$+{SourceName} && WINDOWS :> ( sub { return
> $_[0]->{EventType} eq "WARNING" } )
> desc=Windows Unclassified $+{EventType}: $+{SourceName}
> action=create WINDOWS_WARNING_$+{SourceName} 5400 ( \
> eval %out ( my @ret = map {
> "$WINDOWS_WARNING{'$+{SourceName}'}->{Info}->{$_}\t$_" } \
> sort
> {$WINDOWS_WARNING{'$+{SourceName}'}->{Info}->{$b} <=>
> $WINDOWS_WARNING{'$+{SourceName}'}->{Info}->{$a}} \
> keys
> %{$WINDOWS_WARNING{'$+{SourceName}'}->{Info}}; \
> unshift(@ret, "First Seen:
> $WINDOWS_WARNING{'$+{SourceName}'}->{When}\nCount\tEvent\n"); \
> delete $WINDOWS_WARNING{'$+{SourceName}'}; \
> return @ret; ); \
> fill WINDOWS_WARNING_$+{SourceName} %out; \
> report WINDOWS_WARNING_$+{SourceName} /usr/libexec/sec/notify.pl
> -m %nt_mail -f %nt_from "%s" ); \
> eval %o ( delete $WINDOWS_WARNING{'$+{SourceName}'}; \
> $WINDOWS_WARNING{'$+{SourceName}'}->{When} = time; )
> continue=takenext
>
> type=Single
> ptype=Cached
> pattern=WINDOWS
> context=WINDOWS :> ( sub { return $_[0]->{EventType} eq "WARNING" } )
> desc=Windows Unclassified $+{EventType}: $+{SourceName}
> action=eval %o (
> $WINDOWS_WARNING{'$+{SourceName}'}->{Info}->{sprintf("%%s: %%s/%%d:
> %%s", '$+{Hostname}', '$+{SourceName}', '$+{EventID}', q($+{Message}))}++;
> )
>
> Thanks,
> Mark
>
> --
> Mark D. Nagel, CCIE #3177 <[email protected]>
> Principal Consultant, Willing Minds LLC (http://www.willingminds.com)
> cell: 949-279-5817, desk: 714-495-4001, fax: 714-646-8277
>
> ** For faster support response time, please
> ** email [email protected] or call 714-495-4000
>
>
>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
