hi Andrew, in the case of your rule, both example events Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 (criticalServiceAffecting),ifIndex=61442 Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 (criticalServiceAffecting),ifIndex=61442
match the 'pattern' field of the rule. As a consequence, the first event starts an event correlation operation which waits for an event matching the regular expression 'Loss Of Signal'. However, since the second event also matches the regular expression given with the 'pattern' field, the operation silently consumes it, without trying 'Loss Of Signal' regular expression. Therefore, the operation will time out 5 seconds after it was started and run the action given with the 'action' field. However, from your rule description it seems that you are actually trying to detect 2 loss-of-signal events within 5 seconds. If so, perhaps you can take advantage of SingleWithThreshold rule with thresh=2 and window=5? Also, I would rewrite your original regular expression (.+) (.+) (.+) (.+) Loss Of Signal since the first (.+) starts matching characters from the beginning of the line, including timestamps. Your two example events set $1 to the same value only because the events have identical timestamps. hope this helps, risto 2014-01-27 andrewarnier <[email protected]>: > > > > > Hi all, > > I have Create a SEC configuration file and set a SEC rule as follows: > > type=PairWithWindow > > ptype=RegExp > > pattern= (.+) (.+) (.+) (.+) Loss Of Signal > > desc= $1_$2_$3_$4_lossOfSignal > > action=write -=p1=$1_p2=$2_p3=$3_p4=$4_patter1 > > ptype2=RegExp > > pattern2= Loss Of Signal > > desc2=_lossOfSignal:Flapping > > action2=write - Loss Of Signal Flapping within 5 second window! > > window=5 > > > > Save snmptt_test_sec.cfg and execute the following command: > > $ perl /usr/local/sbin/sec.pl -conf=snmptt_test_sec.cfg -input=- > > SEC (Simple Event Correlator) 2.4.1 > > Reading configuration from snmptt_test_sec.cfg > > 1 rule loaded from snmptt_test_sec.cfg > > > > > > Type the following lines of input: > > Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" > CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 > (criticalServiceAffecting),ifIndex=61442 > > Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" > CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 > (criticalServiceAffecting),ifIndex=61442 > > > > In this case, the ``events'' were not matched the rule , as follows , > > > > $ perl /usr/local/sbin/sec.pl -conf=snmptt_test_sec.cfg -input=- > > SEC (Simple Event Correlator) 2.4.1 > > Reading configuration from snmptt_test_sec.cfg > > 2 rules loaded from snmptt_test_sec.cfg > > Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" > CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 > (criticalServiceAffecting),ifIndex=61442 > > Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" > CISCO-15454 - CISCO -15454 Loss Of Signal in FAC-15-1 > (criticalServiceAffecting),ifIndex=61442 > > Writing event 'Sun Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 > Critical "cisco" CISCO-15454_-_CISCO_-15454_lossOfSignal' to file -=p1=Sun > Dec 1 12:12:41 2013 .1.3.6.1.4.1.3607.6.10.30.0.430 Critical "cisco" > CISCO-15454_p2=-_p3=CISCO_p4=-15454_patter1 > > > > But these input are the same,why can match the rule, is anything wrong with > my rule ? > > > > Can anyone give me some advice on what to do please? > > > > > > andrew > > > ------------------------------------------------------------------------------ > CenturyLink Cloud: The Leader in Enterprise Cloud Services. > Learn Why More Businesses Are Choosing CenturyLink Cloud For > Critical Workloads, Development Environments & Everything In Between. > Get a Quote or Start a Free Trial Today. > http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
