I thought I would share my final version of the rule I was working on. Turns
out that you
have made my life way simpler since last time I looked deeply into what I could
do --
thanks, Risto! Note that this is part of a larger ruleset that begins with
JSON/flatten
of Windows events received from nxlog-ce and this is the final catchall Jump
target.
Regards,
Mark
# Handle all unclassified windows events; by default, event types
# are assigned aggregation lifetimes as follows:
#
# error: 30 minutes
# warning: 90 minutes
# audit_failure: 60 minutes
#
# This can be adjusted in the 'eval %lifetime' action line.
type=Single
ptype=Cached
pattern=WINDOWS
desc=Windows Unclassified $+{EventType}: $+{SourceName}
action=exists %exists WINDOWS_UNCLASSIFIED_$+{EventType}_$+{SourceName}; \
if %exists ( \
none; \
) else ( \
eval %lifetime ( \
$+{EventType} eq "AUDIT_FAILURE" ? 3600 : \
$+{EventType} eq "WARNING" ? 5400 : \
$+{EventType} eq "ERROR" ? 1800 : \
7200 \
); \
create WINDOWS_UNCLASSIFIED_$+{EventType}_$+{SourceName} %lifetime (
\
lcall %o $+{EventType} $+{SourceName} -> ( \
sub { \
my ($eventtype,$sourcename) = @_; \
my @ret = map {
"$WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}{Info}->{$_}\t$_" } \
sort {
$WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}{Info}->{$b} <=>
$WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}{Info}->{$a} } \
keys
%{$WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}{Info}}; \
unshift(@ret, "First Seen: " . scalar
localtime($WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}{When}) .
"\n\nCount\tEvent"); \
delete
$WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}; \
return @ret; \
} ); \
fill WINDOWS_UNCLASSIFIED_$+{EventType}_$+{SourceName} %o; \
report WINDOWS_UNCLASSIFIED_$+{EventType}_$+{SourceName}
/usr/libexec/sec/notify.pl -m %nt_mail -f %nt_from "%s"; \
); \
lcall %o $+{EventType} $+{SourceName} -> ( \
sub { my ($eventtype,$sourcename) = @_; \
delete $WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}; \
$WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}{When} =
time; \
} ) \
); \
lcall %o $+{EventType} $+{SourceName} $+{Hostname} $+{EventID}
$+{Message} -> ( \
sub { \
my ($eventtype,$sourcename,$hostname,$eventid,$message) = @_; \
$WINDOWS_UNCLASSIFIED{$eventtype}{$sourcename}{Info}->{sprintf("%s: %s/%d:
%s", $hostname, $sourcename, $eventid, $message)}++; \
} )
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
