In message <98efd2d350022c8410a506512481f6e7@localhost>, James Lay writes: >So I have this type of event: > >Jul 7 19:40:02 Something bad with a number 10333-12344 >Jul 7 19:40:04 Something bad with a number 10333-12344 >Jul 7 19:40:10 Something bad with a number 10333-12344
Is the number range (i.e. $1) the same for all three events you want to corrolate? >My rule below works just as I want...I only get one alert: > >ype = SingleWithThreshold >ptype = RegExp >pattern = Something bad with a number ([\d-]+) >desc = Bad Event >action = pipe '%s' /usr/local/bin/sendEmail -f [email protected] -s server -t >[email protected] -u "Bleh" -m "$0" >window = 60 >thresh = 1 > >But now say I get this: > >Jul 7 19:40:22 Something bad with a number 10333-12344 >Jul 7 19:40:34 Something bad with a number 10333-12345 >Jul 7 19:40:56 Something bad with a number 10333-12346 > >This are different, so I want to see all three, however the threshold >kicks in and I only see the first one. How can I change this behavior? >I know I'm missing something, but I'm not sure where to look. Thanks >for any assistance you can give. You are missing the proper desc parameter. For each event processed by the pattern, it sees if there is an already a rule that has triggered with with a matching desc field. If your desc string was: desc = Bad Event $1 then you would get one alert for each change in number. I.E. given the input: Jul 7 19:40:22 Something bad with a number 10333-12344 Jul 7 19:40:22 Something bad with a number 10333-12344 Jul 7 19:40:22 Something bad with a number 10333-12344 Jul 7 19:40:34 Something bad with a number 10333-12345 Jul 7 19:40:56 Something bad with a number 10333-12346 you would get only one alert for 10333-12344 regardless of how many came in in the 1 minute window. Plus you would get one alert for 10333-12345 and 10333-12346 because the desc(ripton) strings would be: Bad Event 10333-12344 Bad Event 10333-12345 Bad Event 10333-12346 each of which identifies a separate correlation operation. Search in the man page for "EVENT CORRELATION OPERATIONS" part of which reads: (If the operation for this key does not exist, SEC will start it.) By tuning the desc field of the rule, the scope of individual event corre- lation operations can be changed. for the details. -- -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
