On 2014-07-08 12:58, John P. Rouillard wrote: > In message <98efd2d350022c8410a506512481f6e7@localhost>, > James Lay writes: >>So I have this type of event: >> >>Jul 7 19:40:02 Something bad with a number 10333-12344 >>Jul 7 19:40:04 Something bad with a number 10333-12344 >>Jul 7 19:40:10 Something bad with a number 10333-12344 > > Is the number range (i.e. $1) the same for all three events you want > to corrolate? > >>My rule below works just as I want...I only get one alert: >> >>ype = SingleWithThreshold >>ptype = RegExp >>pattern = Something bad with a number ([\d-]+) >>desc = Bad Event >>action = pipe '%s' /usr/local/bin/sendEmail -f [email protected] -s server -t >>[email protected] -u "Bleh" -m "$0" >>window = 60 >>thresh = 1 >> >>But now say I get this: >> >>Jul 7 19:40:22 Something bad with a number 10333-12344 >>Jul 7 19:40:34 Something bad with a number 10333-12345 >>Jul 7 19:40:56 Something bad with a number 10333-12346 >> >>This are different, so I want to see all three, however the threshold >>kicks in and I only see the first one. How can I change this >> behavior? >>I know I'm missing something, but I'm not sure where to look. Thanks >>for any assistance you can give. > > You are missing the proper desc parameter. For each event processed > by > the pattern, it sees if there is an already a rule that has triggered > with with a matching desc field. > > If your desc string was: > > desc = Bad Event $1 > > then you would get one alert for each change in number. I.E. given > the > input: > > Jul 7 19:40:22 Something bad with a number 10333-12344 > Jul 7 19:40:22 Something bad with a number 10333-12344 > Jul 7 19:40:22 Something bad with a number 10333-12344 > Jul 7 19:40:34 Something bad with a number 10333-12345 > Jul 7 19:40:56 Something bad with a number 10333-12346 > > you would get only one alert for 10333-12344 regardless of how many > came in in the 1 minute window. Plus you would get one alert for > 10333-12345 > and 10333-12346 because the desc(ripton) strings would be: > > Bad Event 10333-12344 > Bad Event 10333-12345 > Bad Event 10333-12346 > > each of which identifies a separate correlation operation. > > Search in the man page for "EVENT CORRELATION OPERATIONS" > part of which reads: > > (If the operation for this key does not exist, SEC will start it.) > By > tuning the desc field of the rule, the scope of individual event > corre- > lation operations can be changed. > > for the details. > -- > -- rouilj > John Rouillard
Thanks John...that really helps my understanding. James ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
