In message
<caaaeqwedj982rvisjfw4fpriv59mebxuznef07zcjg2tvbd...@mail.gmail.com> ,
Max Clark writes:
>I am trying to customize our SEC installation to alert and suppress
>messages in our syslog. For example I have the following log line from
>syslog:
>
>Feb 10 21:16:52 core1.lax1.as11799.net %RPM0-P: CP
>%SEC-5-TACACS_ACCESS_ACCEPTED: Tacacs access accepted for user "rancid"
>
>For which I am trying to suppress with the following configuration rule:
>
>type=suppress
>ptype=substr
>pattern=%SEC-5-TACACS_ACCESS_ACCEPTED:
>desc=tacacs login
>
>However this rule (which is at the end), is still triggered:
>
>type=singleWithSuppress
>ptype=regexp
>pattern=(%.*?:)
>desc=$1
>action=pipe '$0' mail -s 'Syslog Unknown Event' sec-alert; pipe '$0'
>/root/bin/notify-hipchat.py
>window=86400
I created a single config file t.sr with just the two rules above and
sent in the example line that you provided and it worked fine.
The command line was: sec -conf t.sr -input=-
I dumped the internal state using kill -USR1 <pid of the sec process>
and got in part:
...
Performance statistics:
============================================================
Run time: 45 seconds
User time: 0.187 seconds
System time: 0.078 seconds
Child user time: 0 seconds
Child system time: 0 seconds
Processed input lines: 3
Rule usage statistics:
============================================================
Statistics for the rules from t.sr
(loaded at Mon Feb 10 17:55:52 2014)
------------------------------------------------------------
Rule 1 line 1 matched 3 events (tacacs login)
Rule 2 line 6 matched 0 events ($1)
Input sources:
============================================================
- (status: Open, type: pipe, device/inode: -/-, received data: 3 lines, no
context set)
Content of input buffer (last 10 input lines):
------------------------------------------------------------
Feb 10 21:16:52 core1.lax1.as11799.net %RPM0-P: CP
%SEC-5-TACACS_ACCESS_ACCEPTED: Tacacs access accepted for user "rancid"
Feb 10 21:16:52 core1.lax1.as11799.net %RPM0-P: CP
%SEC-5-TACACS_ACCESS_ACCEPTED: Tacacs access accepted for user "rancid"
Feb 10 21:16:52 core1.lax1.as11799.net %RPM0-P: CP
%SEC-5-TACACS_ACCESS_ACCEPTED: Tacacs access accepted for user "rancid"
--------------------------------
As you can see all three input lines were consumed by the substr rule.
So my guess is you have some odd character, whitespace or something
that is causing the substr rule to not match.
I am also assuming both these rules are in the same config file. If
that's not the case, then you have to do something different. What you
do need to depends on what version of sec you are using, how your set
of rules files are structured etc.
Also just a note, but that suppress rule scares me. While rancid
logins may be normal, that rule also suppresses login by other users
to the devvice. I usually alert on any non-standard device login, so I
am not sure that your rule is really the best choice.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience. Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
