[Simple-evcorr-users] Pair with window question

Mon, 21 Sep 2015 10:03:53 -0700 

Hello,

I would like to seek help with the following Rules I created.
Basically, I am trying to correlate pattern1 and pattern2 and write both of
them to the new log file when the event2 occurred after 10 secs of event1.


When i tested the rule by feeding the sample log files thru keyboard input
and it is working as expected.

But, the issue happened when i actually monitor log files (I've more than 1
log to monitor and i used one SEC process to monitor them all -
--input=/logs/g*/system.log) and the rule doesn't work as tested.


The sec version i used is 2.7.7


Any suggestion?


Thanks

Thin



#1
#Correlate the pattern1(SYSTEM_CFGSYNC_DOWN) and pattern2(SYSTEM_CFGSYNC_UP).
If pattern2 doesn't occur within 10secs, write pattern1 to test1.log

type=PairWithWindow

ptype=RegExp

pattern=(<\S+>)(\s?)(\S+)(\s?)((\S+:\s){2})SYSTEM_CFGSYNC_DOWN:((\s-){2}).*?

desc=$0

action=write /root/secTEMP/poctest/$3/test1.log $0; create CT_DOWN;

ptype2=RegExp

pattern2=(<\S+>)(\s?)(\S+)(\s?)((\S+:\s){2})SYSTEM_CFGSYNC_UP:((\s-){2}).*?

desc2=$0

action2=none;

window=10



#2

#Check if SYSTEM_CFGSYNC_UP should write to the log

type=Single

ptype=RegExp

pattern=(<\S+>)(\s?)(\S+)(\s?)((\S+:\s){2})SYSTEM_CFGSYNC_UP:((\s-){2}).*?

context=CT_DOWN

desc=$0

action=write /root/secTEMP/poctest/$3/test1.log $0;



Sample Log:

============

2015-09-10T13:02:59+01:00 <local4.warning> gbsole001a event: SYSTEM:
SYSTEM_CFGSYNC_DOWN: - - The config-sync feature is operationally down.

2015-09-10T13:03:02+01:00 <local4.info> gbsole001a event: SYSTEM:
SYSTEM_CFGSYNC_UP: - - The config-sync feature is operationally up.



2015-09-10T13:03:02+01:00 <local4.warning> gbsole001a event: SYSTEM:
SYSTEM_CFGSYNC_DOWN: - - The config-sync feature is operationally down.

2015-09-10T13:03:03+01:00 <local4.info> gbsole001a event: SYSTEM:
SYSTEM_CFGSYNC_UP: - - The config-sync feature is operationally up.

------------------------------------------------------------------------------

_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to