Le mardi 16 décembre 2014 à 15:33, John P. Rouillard a écrit :
> (...)
> I don't see a context2 keyword in your rule.
>
> from the manual under the PAIR rule section:
>
> SEC will also copy the match conditions given with the pattern2
> and context2 field into the operation, and substitute match variables
> with their values in copied conditions.
>
> so at fast glance I claim adding:
>
> context2=[CFT]
>
> will do the trick. As it stands, you have no context limiting the
> correlation rule to a particular file.
You're right, with this line added, sec just runs fine !
BTW, being able to not limit the context can be needed too. Very
flexible.
> (...)
> >Interesting fact : $+{_inputsrc} displays "log/RECEPTION.log" even if
> >pattern2 is matched against "log/OUTPUT.log".
>
> Hmm, this makes perfect sense if
>
> desc2=Alarm end on $+{_inputsrc}
>
> is expanded when the pair rule is triggered by "pattern". At that
> time, $+{inputsrc} is log/RECEPTION.log.
>
> You didn't say what version of SEC you are running. I want to say this
> may be a bug, but I don't remember desc2's role in correlations for
> the pair rule. It's possible desc2 is just a label rather than being
> used for a correlation check.
>
> The section in the manual titled: EVENT CORRELATION OPERATIONS says:
>
> In order to identify event correlation operations, SEC assigns a key to
> every operation that is composed from the configuration file name, the
> rule ID, and the operation description string (defined by the desc
> field of the rule).
>
> Note it says nothing about desc2 being used to identify correlation
> operations. So this may be how it should work.
>
> Since you have no context2 to limit the pattern2 correlation what you
> see would make sense.
>
> I am not sure if there is a way to get the current input file in the
> triggered rule. My best guess would be to see what:
>
> action2= write - $+{_inputsrc}
>
> produces. My guess is that will be log/OUTPUT.log because variables in
> the action keyword aren't expanded until the rule triggers.
>
> Also you may want to look at the --nojointbuf command line option. I
> think that may limit the desc2 correlation to the original buffer/file
> that triggered the rule, but I am not positive about that.
sec version 2.7.6, the last available.
desc2 works as intended if "context2" is set.
As I'm just beginning to use sec, I'm not aware of all of its internals gears
yet. Nevertheless my basic needs are already well covered with this
ruleset.
> Let us know if any of this fixes your issue.
Yes actually it did. Sorry for my RTFM failure.
Thank you very much.
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
