yes, and you can test your rule very quickly to verify it. When you have
type=Single
ptype=regexp
pattern=^msg=(.*)$
desc=test
action= assign %msg $1; \
create EVENT_%msg 10 ( logonly %msg expired ); \
create TEST 1 ( assign %msg B )
then providing msg=A will result in "B expired", while having
type=Single
ptype=regexp
pattern=^msg=(.*)$
desc=test
action= assign %msg $1; \
create EVENT_%msg 10 ( logonly $1 expired ); \
create TEST 1 ( assign %msg B )
will produce "A expired", as just tested on my laptop:
$ sec-2.7.7/sec --conf test.sec --input -
SEC (Simple Event Correlator) 2.7.7
Reading configuration from test.sec
1 rules loaded from test.sec
No --bufsize command line option or --bufsize=0, setting --bufsize to 1
Opening input file -
Interactive process, SIGINT can't be used for changing the logging level
msg=A
Assigning 'A' to variable '%msg'
Creating context 'EVENT_A'
Creating context 'TEST'
Deleting stale context 'TEST'
Assigning 'B' to variable '%msg'
Stale context 'TEST' deleted
Deleting stale context 'EVENT_A'
A expired
Stale context 'EVENT_A' deleted
regards,
risto
2015-10-06 23:24 GMT+03:00 Bond Masuda <bond.mas...@jlbond.com>:
>
>
> On 10/06/2015 01:18 PM, Risto Vaarandi wrote:
>
> The action list variables (like %msg in your example) are global and can
> be modified by any rule. Thus, when action list variable is substituted,
> the value you will see might be assigned by another rule in another rule
> file. Also, action list variables are substituted immediately before the
> action list gets executed (this makes them different from match variables).
> Therefore, %msg has the value B in your example, and the 'logonly' action
> logs the string "B expired". Finally, there are also few builtin action
> list variables which have predefined values (such as %s and %t). You can
> read more about action list variables in official docs when you check the
> opening paragraphs of "Actions, Action Lists and Action List Variables"
> section ( <http://simple-evcorr.github.io/man.html#lbAI>
> http://simple-evcorr.github.io/man.html#lbAI).
>
>
> So, based on what you are telling me, to get the desired result (which is
> "A expired" when context EVENT_A expires), I should not use the action
> variable %msg, but use the match variable $1? i.e.,
>
> type=Single
> ptype=regexp
> pattern=^msg=(.*)$
> action= assign %msg $1; \
> create EVENT_%msg 30 ( logonly $1 expired )
>
>
> 2015-10-06 22:50 GMT+03:00 Bond Masuda <bond.mas...@jlbond.com>:
>
>> Let's say I have messages like:
>>
>> msg=A
>> msg=B
>> ...
>>
>>
>> and my rule is:
>>
>> type=Single
>> ptype=regexp
>> pattern=^msg=(.*)$
>> action= assign %msg $1; \
>> create EVENT_%msg 30 ( logonly %msg expired )
>>
>>
>> Does the action list for when the context EVENT_%msg expires, get saved
>> somewhere when the create action happens? Or, does that get evaluated
>> when the context expires?
>>
>> e.g., if msg=A and msg=B are less than 30 seconds apart, when EVENT_A
>> expires, will I get "A expired" or "B expired" in my log message?
>>
>> Is the scope of action variables like %msg in the above example global?
>> If one rule sets %msg, can another rule then access that value in %msg?
>> Or are they all locally scoped and disappear once the rule is done
>> processing?
>>
>> Thank you,
>> Bond
>>
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
