Like Mark suggested, you need to use 'continue' rule parameter, in order to
pass matching events to further rules in your configuration file. Since your
first rule is of type Pair which has two regular expression patterns (given
with 'pattern' and 'pattern2'), and the following rules are reusing both of
these patterns for event recognition, you will need to set both 'continue' and
'continue2' parameter to TakeNext in the Pair rule:
continue=TakeNext
continue2=TakeNext
regards,
risto
From: andrewarnier [mailto:[email protected]]
Sent: Friday, November 14, 2014 5:44 AM
To: [email protected]
Subject: [Simple-evcorr-users] the same event for two scenario
Hi all,
I want to detect the event for two scenario,
Scenario one is when "(\S+) (\S+) Loss Of Signal in (\S+)
\(criticalServiceAffecting\),ifIndex=(.+)" line appears in input and "(\S+) $2
Loss Of Signal in (\S+) \(alarm is cleared\),ifIndex=(.+)" line in input in 30
seconds will take the Rule 1 action2
Scenarion two is when "(\S+) (\S+) Loss Of Signal in (\S+)
\(criticalServiceAffecting\),ifIndex=(.+)" line appears in input but "(\S+) $2
Loss Of Signal in (\S+) \(alarm is cleared\),ifIndex=(.+)" line not in input
in 30 seconds will take the Rule 2 action and when "(\S+) $2 Loss Of Signal
in (\S+) \(alarm is cleared\),ifIndex=(.+)" line in input will take the Rule 3
But I found when scenario 2 occurs, it's won't detect Rule 2 while Rule 1 is
put before Rule 2 in my sec.cfg,
Rule 1 :
type=Pair
ptype=RegExp
pattern=(\S+) (\S+) Loss Of Signal in (\S+)
\(criticalServiceAffecting\),ifIndex=(.+)
desc=$2 Loss of signal events for interface $3($4)
action=lcall %time1 -> ( sub { my(@time1) = localtime(); \
my($timestamp) = sprintf( "%04d-%02d-%02d %02d:%02d:%02d", \
$time1[5]+1900, $time1[4]+1, $time1[3], $time1[2], $time1[1], $time1[0]); \
return $timestamp; } )
ptype2=RegExp
pattern2=(\S+) $2 Loss Of Signal in (\S+) \(alarm is cleared\),ifIndex=(.+)
desc2= $2 Loss of signal alarm is cleared for interface $3($4)
action2=lcall %time2 -> ( sub { my(@time) = localtime(); \
my($timestamp) = sprintf( "%04d-%02d-%02d %02d:%02d:%02d", \
$time[5]+1900, $time[4]+1, $time[3], $time[2], $time[1], $time[0]); \
return $timestamp; } );shellcmd /home/andrew/code/sendmail_noGUI.sh "%2_%3(%4)
Loss Of Signal" "%2_%3(%4) Loss Of Signal" "%time1 - %time2" "%2_%3(%4) "
window=30
Rule 2 :
type=Single
ptype=Regexp
pattern=(\S+) (\S+) Loss Of Signal in (\S+)
\(criticalServiceAffecting\),ifIndex=(.+)
desc=$2 Loss of signal events for interface $3($4)
action=lcall %time -> ( sub { my(@time) = localtime(); \
my($timestamp) = sprintf( "%04d-%02d-%02d %02d:%02d:%02d", \
$time[5]+1900, $time[4]+1, $time[3], $time[2], $time[1], $time[0]); \
return $timestamp; } );shellcmd /home/ andrew /code/sendmail_noGUI.sh "Loss Of
Signal" "$2 Loss of signal events for interface $3($4)" "%time" " $2_$3($4) "
Rule 3 :
type=Single
ptype=Regexp
pattern=(\S+) (\S+) Loss Of Signal in (\S+) \(alarm is cleared\),ifIndex=(.+)
desc= $2 Loss of signal alarm is cleared for interface $3($4)
action=lcall %time -> ( sub { my(@time) = localtime(); \
my($timestamp) = sprintf( "%04d-%02d-%02d %02d:%02d:%02d", \
$time[5]+1900, $time[4]+1, $time[3], $time[2], $time[1], $time[0]); \
return $timestamp; } );shellcmd /home/ andrew /code/EventClear_mail_noGUI.sh
"%2_%3(%4) Loss Of Signal alarm is cleared" "%2_%3(%4) Loss Of Signal" "%time"
"%2_%3(%4)" "%2_%3(%4) "
Anyone knows how to solve the problem ?how to detect the two scenario ?
Thanks ,
Andrew
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
