-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello,
as you use $0 for desc and feed the event data with a preceding timestamp, your rule will never correlate, since your desc keys are all uniq (as you can see in the subject of your mails)... hope it helps, regards, Tom On 06.04.2014 22:27, Marc MERLIN wrote: > I run sec with root 9041 0.4 0.0 8376 2440 ? S > Apr05 7:26 /usr/bin/perl -w /usr/bin/sec -conf=/etc/sec.conf > -input=/var/log/xpl.log -input=/var/log/syslog > -input=/var/log/bind/named.log -input=/var/log/zoneminder.log > -input=/var/local/src/misterhouse/data/logs/print.log > -pid=/var/run/sec.pid -detach -log=/var/log/sec.log > > I have other SingleWithSuppress rules that seem fine. > > But this one triggers for each event, and I can't figure out why. > > The rule: type=SingleWithSuppress ptype=RegExp pattern=DoorLockChg: > Front Door UNKNOWN STATE window=3600 desc=$0 action=pipe '%t: $0' > /usr/bin/mail -s "sec: %s" email > > I tried in debug mode from the command line and the mail only gets > sent once. gargamel:~# sec -input=- -debug=5 -conf=/etc/sec.conf > SEC (Simple Event Correlator) 2.5.3 Reading configuration from > /etc/sec.conf Stdin connected to terminal, SIGINT can't be used for > changing the logging level DoorLockChg: Front Door UNKNOWN STATE > (UNDEF(cat: /etc/owfs/uncached/8_Channel_IO/sensed.6 Feeding event > 'Sun Apr 6 13:26:15 2014: DoorLockChg: Front Door UNKNOWN STATE > (UNDEF(cat: /etc/owfs/uncached/8_Channel_IO/sensed.6' to shell > command '/usr/bin/mail -s "sec: DoorLockChg: Front Door UNKNOWN > STATE (UNDEF(cat: /etc/owfs/uncached/8_Channel_IO/sensed.6" email' > DoorLockChg: Front Door UNKNOWN STATE (UNDEF(cat: > /etc/owfs/uncached/8_Channel_IO/sensed.6 DoorLockChg: Front Door > UNKNOWN STATE (UNDEF(cat: /etc/owfs/uncached/8_Channel_IO/sensed.6 > DoorLockChg: Front Door UNKNOWN STATE (UNDEF(cat: > /etc/owfs/uncached/8_Channel_IO/sensed.6 > > And yet, if you see the malis below, I got 6 in a row a few > seconds apart. > > I'm stumped. What am I missing? > > Thanks, Marc > > > ----- Forwarded message from root <[email protected]> ----- > > Date: Sun, 06 Apr 2014 12:46:05 -0700 Subject: sec: 06/04/2014 > 12:46:02 DoorLockChg: Front Door UNKNOWN STATE (UNDEF(cat: > /etc/owfs/uncached/8_Channel_IO/sensed.6: No such file or > directory)) > > Sun Apr 6 12:46:05 2014: 06/04/2014 12:46:02 DoorLockChg: Front > Door UNKNOWN STATE (UNDEF(cat: > /etc/owfs/uncached/8_Channel_IO/sensed.6: No such file or > directory)) > > > ----- End forwarded message ----- ----- Forwarded message from root > <[email protected]> ----- > > Date: Sun, 06 Apr 2014 12:46:07 -0700 Subject: sec: 06/04/2014 > 12:46:07 DoorLockChg: Front Door UNKNOWN STATE (UNDEF(cat: > /etc/owfs/uncached/8_Channel_IO/sensed.6: No such file or > directory)) > > Sun Apr 6 12:46:07 2014: 06/04/2014 12:46:07 DoorLockChg: Front > Door UNKNOWN STATE (UNDEF(cat: > /etc/owfs/uncached/8_Channel_IO/sensed.6: No such file or > directory)) > > > ----- End forwarded message ----- ----- Forwarded message from root > <[email protected]> ----- > > Date: Sun, 06 Apr 2014 12:46:12 -0700 Subject: sec: 06/04/2014 > 12:46:12 DoorLockChg: Front Door UNKNOWN STATE (UNDEF(cat: > /etc/owfs/uncached/8_Channel_IO/sensed.6: No such file or > directory)) > > Sun Apr 6 12:46:12 2014: 06/04/2014 12:46:12 DoorLockChg: Front > Door UNKNOWN STATE (UNDEF(cat: > /etc/owfs/uncached/8_Channel_IO/sensed.6: No such file or > directory)) > > > ----- End forwarded message ----- ----- Forwarded message from root > <[email protected]> ----- > > Date: Sun, 06 Apr 2014 12:46:17 -0700 Subject: sec: 06/04/2014 > 12:46:17 DoorLockChg: Front Door UNKNOWN STATE (UNDEF(cat: > /etc/owfs/uncached/8_Channel_IO/sensed.6: No such file or > directory)) > > Sun Apr 6 12:46:17 2014: 06/04/2014 12:46:17 DoorLockChg: Front > Door UNKNOWN STATE (UNDEF(cat: > /etc/owfs/uncached/8_Channel_IO/sensed.6: No such file or > directory)) > > > ----- End forwarded message ----- ----- Forwarded message from root > <[email protected]> ----- > > Date: Sun, 06 Apr 2014 12:46:22 -0700 Subject: sec: 06/04/2014 > 12:46:22 DoorLockChg: Front Door UNKNOWN STATE (UNDEF(cat: > /etc/owfs/uncached/8_Channel_IO/sensed.6: No such file or > directory)) > > Sun Apr 6 12:46:22 2014: 06/04/2014 12:46:22 DoorLockChg: Front > Door UNKNOWN STATE (UNDEF(cat: > /etc/owfs/uncached/8_Channel_IO/sensed.6: No such file or > directory)) > > > ----- End forwarded message ----- ----- Forwarded message from root > <[email protected]> ----- > > Date: Sun, 06 Apr 2014 12:46:27 -0700 Subject: sec: 06/04/2014 > 12:46:27 DoorLockChg: Front Door UNKNOWN STATE (UNDEF(cat: > /etc/owfs/uncached/8_Channel_IO/sensed.6: No such file or > directory)) > > Sun Apr 6 12:46:27 2014: 06/04/2014 12:46:27 DoorLockChg: Front > Door UNKNOWN STATE (UNDEF(cat: > /etc/owfs/uncached/8_Channel_IO/sensed.6: No such file or > directory)) > > > ----- End forwarded message ----- > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iD8DBQFTQcd5TCCRT+dccOYRAqmrAKCELGLoLEnT6wQhDBbHO/6oOA4SKwCcDlcM q+M/SsHjSIVwf+B40evIFC8= =vlNR -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
