hi Jaren,
you could try the following simple ruleset and see if this fits your needs:
type=Calendar
time=0 * * * *
desc=drop byte counters
action=lcall %o -> ( sub { %bytes = () } )
type=Single
ptype=RegExp
pattern=^\d+\/\d+\/\d+ \d{2}:\d{2}:\s*POST \S+ ([\w.@-]+) (\d+)
context=$1 $2 -> ( sub { ($bytes{$_[0]} += $_[1]) > 10000 } ) && \
!SUPPRESS_ALARMS_FOR_$1
desc=User $1 has transmitted too many bytes
action=write - %s; create SUPPRESS_ALARMS_FOR_$1 7200
This ruleset employs the Perl hash table %bytes for keeping track of user
data transfers. The keys to %bytes hash table are user names, and the value
which corresponds to each user name is the number of bytes transmitted.
Since you didn't mention in which particular time window you would like to
accomplish upload tracking, I have chosen a fixed window of 1 hour which is
applied to all users. The purpose of the first rule is to drop byte
counters for all users once every hour. If you wish to accomplish the
monitoring in a larger window, it is easy to adjust the 'time' field of the
Calendar rule accordingly (the field takes a value in crontab syntax).
The second rule matches individual upload events with the regular expression
^\d+\/\d+\/\d+ \d{2}:\d{2}:\s*POST \S+ ([\w.@-]+) (\d+)
which sets $1 to user name and $2 to transmitted bytes. I have assumed that
legal characters for user names are letters, digits, underscores, dots,
dashes and @-signs, and therefore I've used ([\w.@-]+) for matching the
username. If you want your username to be just any sequence of
non-whitespace characters, you can use (\S+) instead. In order to track the
number of bytes user has uploaded, the rule uses the following context
expression
$1 $2 -> ( sub { ($bytes{$_[0]} += $_[1]) > 10000 } ) && \
!SUPPRESS_ALARMS_FOR_$1
which consists of two operands joined by logical AND (&&).
The first operand '$1 $2 -> ( sub { ($bytes{$_[0]} += $_[1]) > 10000 } )'
is a call to a precompiled perl function which simply adds bytes for the
current upload to the total of the given user. Note that the variables $1
(user name) and $2 (bytes) serve as input parameters for the function.
Also, the function checks if the resulting user total exceeds the threshold
(I have used 10000 bytes for threshold which probably needs replacement by
a more reasonable value). The second operand of the context expression
!SUPPRESS_ALARMS_FOR_$1 is true if the context SUPPRESS_ALARMS_FOR_$1 does
not exist (which is the case if we haven't generated alarm for the given
user within the last 2 hours -- see the following explanation). If both
operands are true (in other words, the upload threshold is violated and we
haven't produced an alert about the user in last 2h), the rule will write a
warning string to standard output with the 'write' action. Also, after
generating the alarm, the rule creates the SUPPRESS_ALARMS_FOR_$1 context
with a lifetime of 7200 seconds. Since the context will stay around for 2
hours, it suppresses further alarms for the same user for this time frame.
Hope this helps,
risto
2015-09-29 11:21 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
> Hi,
>
> Sorry for my English and thanks for the perl library. Thanks for accepting
> me in mailing list. :)
>
> I have to program a code with SEC to detect a quantity of bytes uploaded
> to the web from one user with a limit. I dont know how to sum the quantity
> of bytes that comes from each proxy log line till reach the limit and
> generate an alert.
>
> Log Line
>
> Time: Method "Url" User Bytes
> 29/09/2015 10:14:POST "www.google.com" Korsakof 1250
>
> Thank you. Regards.
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
