Hi Risto,
I solved, it is as simple not to use ", use only ' in the path.
Example:
Working case:
type=Single
ptype=SubStr
pattern=SEC_STARTUP
context=SEC_INTERNAL_EVENT
continue=TakeNext
desc=Load the SecModule module and terminate if it is not found
action=assign %ret 0; eval %ret (require 'c:\Sec\lib\SecModule.pm';); eval
%o (exit(1) unless %ret)
Not working:
type=Single
ptype=SubStr
pattern=SEC_STARTUP
context=SEC_INTERNAL_EVENT
continue=TakeNext
desc=Load the SecModule module and terminate if it is not found
action=assign %ret 0; eval %ret (require "c:\Sec\lib\SecModule.pm";); eval
%o (exit(1) unless %ret)
Thank you for your support Risto.
2016-04-22 15:20 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
> Yes. I tried and didn´t work.
>
> Thanks for your help Risto. Regards!.
>
> 2016-04-22 14:32 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>
>> ...also, did you try replacing backslashes with regular slashes in the
>> pathname, for example, c:/sec/lib/SecModule.pm?
>>
>> risto
>>
>> 2016-04-22 15:29 GMT+03:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>
>>> hi Jaren,
>>> unfortunately, I am not using perl on windows platform, so this issue
>>> might be related to your particular windows perl flavor (maybe activestate
>>> perl is doing things a bit differently). One workaround that works on unix
>>> platform is to use the PERL5LIB environment variable and set it to the
>>> directory path of your module. Maybe this trick will also work for windows
>>> perl distributions.
>>> hope this helps,
>>> risto
>>>
>>> 2016-04-22 14:23 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>>
>>>> Hi,
>>>>
>>>> I´m executing on win platform and and use path like this
>>>> c:\sec\lib\SecModule.pm. It can´t locate the file.
>>>> Firstly i did as windows path c:\sec\lib\SecModule.pm and then i did it
>>>> like in linux just to test it(I saw in your example). None one worked.It is
>>>> just to have separately but it´s not a big problem.
>>>>
>>>> Thank you Risto!. Regards.
>>>>
>>>>
>>>>
>>>>
>>>> 2016-04-22 12:37 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>>>
>>>>> The .pm file does not need to reside in the same directory as rules.
>>>>> If the path is relative, it is relative to the sec working directory. For
>>>>> instance, your example rule assumes that SecModule.pm has to be in the
>>>>> same
>>>>> directory which is used by sec. In order to avoid any amiguities, I would
>>>>> strongly recommend to use absolute paths for loading modules (e.g.,
>>>>> require
>>>>> "/etc/sec/perl/SecModule.pm").
>>>>> kind regards,
>>>>> risto
>>>>>
>>>>> 2016-04-22 13:09 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>>>>
>>>>>> Hi Risto,
>>>>>>
>>>>>> I´m trying to locate the .pm file in other folder. I tried windows
>>>>>> and linux path, escaping, without escaping. Has it to be in the same
>>>>>> folder
>>>>>> with the rules?.
>>>>>>
>>>>>> type=Single
>>>>>> ptype=SubStr
>>>>>> pattern=SEC_STARTUP
>>>>>> context=SEC_INTERNAL_EVENT
>>>>>> continue=TakeNext
>>>>>> desc=Load the SecModule module and terminate if it is not found
>>>>>> action=assign %ret 0; eval %ret (require "SecModule.pm"); eval %o
>>>>>> (exit(1) unless %ret)
>>>>>>
>>>>>> Regards.
>>>>>>
>>>>>> 2016-04-20 17:14 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
>>>>>>
>>>>>>> Thanks Risto!!!. :). It´s working properly. I´m newbie programming
>>>>>>> in perl and i´m getting used to.hehehe.
>>>>>>>
>>>>>>> Have a nice evening.
>>>>>>>
>>>>>>> 2016-04-20 17:05 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>
>>>>>>> :
>>>>>>>
>>>>>>>> hi Jaren,
>>>>>>>> I think you have a small typo in your action list -- currently it
>>>>>>>> reads as
>>>>>>>>
>>>>>>>> action=lcall %o -> ( sub { print Data::Dumper(%SecModule::ip);} )
>>>>>>>>
>>>>>>>> but when you look into the action more closely, there is only the
>>>>>>>> module prefix "Data::Dumper" without the function name. Since you
>>>>>>>> probably
>>>>>>>> wanted to invoke the Dumper() function from Data::Dumper module, the
>>>>>>>> action
>>>>>>>> list should probably read as:
>>>>>>>>
>>>>>>>> action=lcall %o -> ( sub { print
>>>>>>>> Data::Dumper::Dumper(%SecModule::ip);} )
>>>>>>>>
>>>>>>>> Try this modification and see if it works.
>>>>>>>>
>>>>>>>> kind regards,
>>>>>>>> risto
>>>>>>>>
>>>>>>>>
>>>>>>>> 2016-04-20 17:58 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>>>>>>>
>>>>>>>>> Hi Risto,
>>>>>>>>>
>>>>>>>>> Finally i got it! I can load and search in the hash table but i´m
>>>>>>>>> trying to show the hash table with Data::Dumper and i don´t know why
>>>>>>>>> it´s
>>>>>>>>> not working.
>>>>>>>>> Is there any diferencies to load your own module and the system
>>>>>>>>> modules?
>>>>>>>>>
>>>>>>>>> rules.conf
>>>>>>>>>
>>>>>>>>> _____________________________________________________________________
>>>>>>>>>
>>>>>>>>> type=Single
>>>>>>>>> ptype=SubStr
>>>>>>>>> pattern=SEC_STARTUP
>>>>>>>>> context=SEC_INTERNAL_EVENT
>>>>>>>>> continue=TakeNext
>>>>>>>>> desc=Load the Dumper module and terminate if it is not found
>>>>>>>>> action=assign %ret 0; eval %ret (require Data::Dumper;); eval %o
>>>>>>>>> (exit(1) unless %ret)
>>>>>>>>>
>>>>>>>>> type=Single
>>>>>>>>> ptype=RegExp
>>>>>>>>> continue=TakeNext
>>>>>>>>> pattern=.*getHash.*
>>>>>>>>> desc=Event received
>>>>>>>>> action=lcall %o -> ( sub { print Data::Dumper(%SecModule::ip);} )
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Output:
>>>>>>>>> Code 'CODE(0x281f2c4)' runtime error: Undefined subroutine
>>>>>>>>> &Data::Dumper
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Thank you!. Regards.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2016-04-19 10:48 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
>>>>>>>>>
>>>>>>>>>> Thank you Risto!. It´s working properly!.
>>>>>>>>>>
>>>>>>>>>> I know that i have to update the library but still i can´t. I´m
>>>>>>>>>> trying to do it.
>>>>>>>>>>
>>>>>>>>>> 2016-04-18 20:30 GMT+02:00 Risto Vaarandi <
>>>>>>>>>> risto.vaara...@gmail.com>:
>>>>>>>>>>
>>>>>>>>>>> ...also, if you would like to use rules with if-actions, they
>>>>>>>>>>> are supported by sec-2.7.X (the latest major version). Unless you
>>>>>>>>>>> have
>>>>>>>>>>> specific restrictions what versions you can install, I would
>>>>>>>>>>> recommend to
>>>>>>>>>>> go with sec-2.7.9 which is the latest stable distribution.
>>>>>>>>>>> kind regards,
>>>>>>>>>>> risto
>>>>>>>>>>>
>>>>>>>>>>> 2016-04-18 20:41 GMT+03:00 Risto Vaarandi <
>>>>>>>>>>> risto.vaara...@gmail.com>:
>>>>>>>>>>>
>>>>>>>>>>>> hi Jaren,
>>>>>>>>>>>> when looking at the command line options, they have been
>>>>>>>>>>>> properly set. However, from the sec debug messages I can see that
>>>>>>>>>>>> you are
>>>>>>>>>>>> using version 2.6.2. This version is fairly old and does not
>>>>>>>>>>>> support the
>>>>>>>>>>>> 'if ( )' action. In order to adjust the first rule for version
>>>>>>>>>>>> 2.6.2, it
>>>>>>>>>>>> should be rewritten as:
>>>>>>>>>>>>
>>>>>>>>>>>> type=Single
>>>>>>>>>>>> ptype=SubStr
>>>>>>>>>>>> pattern=SEC_STARTUP
>>>>>>>>>>>> context=SEC_INTERNAL_EVENT
>>>>>>>>>>>> continue=TakeNext
>>>>>>>>>>>> desc=Load the SecModule module and terminate if it is not found
>>>>>>>>>>>> action=assign %ret 0; eval %ret (require "SecModule.pm"); eval
>>>>>>>>>>>> %o (exit(1) unless %ret)
>>>>>>>>>>>>
>>>>>>>>>>>> Also, if you would like to test how the fourth rule matches the
>>>>>>>>>>>> event in muestra.txt, the event should be rewritten as
>>>>>>>>>>>> event for IP 192.168.1.1
>>>>>>>>>>>> since otherwise the regular expression of the fourth rule would
>>>>>>>>>>>> not produce a match.
>>>>>>>>>>>>
>>>>>>>>>>>> kind regards,
>>>>>>>>>>>> risto
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> 2016-04-18 18:55 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Risto,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thank for the examples and the explanation Risto. I understood
>>>>>>>>>>>>> everything really quick!!!. I´ve tried to execute and i can find
>>>>>>>>>>>>> the way to
>>>>>>>>>>>>> do it.
>>>>>>>>>>>>> Scene-> all the files are in the same folder.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I created like this:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ______________________________________________________________________
>>>>>>>>>>>>> SecModule.pm
>>>>>>>>>>>>>
>>>>>>>>>>>>> ______________________________________________________________________
>>>>>>>>>>>>>
>>>>>>>>>>>>> package SecModule;
>>>>>>>>>>>>> use strict;
>>>>>>>>>>>>> use warnings;
>>>>>>>>>>>>> require Exporter;
>>>>>>>>>>>>> our @ISA = qw(Exporter);
>>>>>>>>>>>>>
>>>>>>>>>>>>> our $VERSION = 1.00;
>>>>>>>>>>>>> our @EXPORT_OK = qw(build_ip_table %ipaddr);
>>>>>>>>>>>>>
>>>>>>>>>>>>> our %ipaddr;
>>>>>>>>>>>>>
>>>>>>>>>>>>> sub build_ip_table {
>>>>>>>>>>>>> %ipaddr = ();
>>>>>>>>>>>>> $ipaddr{"192.168.1.1"} = 1;
>>>>>>>>>>>>> $ipaddr{"10.1.1.1"} = 1;
>>>>>>>>>>>>> }
>>>>>>>>>>>>>
>>>>>>>>>>>>> 1;
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ___________________________________________________________________________
>>>>>>>>>>>>> rules.conf
>>>>>>>>>>>>>
>>>>>>>>>>>>> ___________________________________________________________________________
>>>>>>>>>>>>>
>>>>>>>>>>>>> type=Single
>>>>>>>>>>>>> ptype=SubStr
>>>>>>>>>>>>> pattern=SEC_STARTUP
>>>>>>>>>>>>> context=SEC_INTERNAL_EVENT
>>>>>>>>>>>>> continue=TakeNext
>>>>>>>>>>>>> desc=Load the SecModule module and terminate if it is not found
>>>>>>>>>>>>> action=eval %ret (require "SecModule.pm"); \
>>>>>>>>>>>>> if %ret ( logonly SecModule loaded ) else ( eval %o
>>>>>>>>>>>>> exit(1) )
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> type=Single
>>>>>>>>>>>>> ptype=RegExp
>>>>>>>>>>>>> pattern=^(?:SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
>>>>>>>>>>>>> context=SEC_INTERNAL_EVENT
>>>>>>>>>>>>> desc=create IP address table
>>>>>>>>>>>>> action=lcall %o -> ( sub { SecModule::build_ip_table() } )
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> type=Single
>>>>>>>>>>>>> ptype=RegExp
>>>>>>>>>>>>> pattern=addIP: ([\d.]+)
>>>>>>>>>>>>> desc=add IP address $1 to IP table
>>>>>>>>>>>>> action=lcall %o $1 -> ( sub { $SecModule::ipaddr{$_[0]} = 1 } )
>>>>>>>>>>>>>
>>>>>>>>>>>>> type=Single
>>>>>>>>>>>>> ptype=RegExp
>>>>>>>>>>>>> pattern=event for IP ([\d.]+)
>>>>>>>>>>>>> context=$1 -> ( sub { exists $SecModule::ipaddr{$_[0]} } )
>>>>>>>>>>>>> desc=Event received for IP address $1 that is in the IP table
>>>>>>>>>>>>> action=write - %s
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ______________________________________________________________________________
>>>>>>>>>>>>> muestra.txt
>>>>>>>>>>>>>
>>>>>>>>>>>>> ______________________________________________________________________________
>>>>>>>>>>>>>
>>>>>>>>>>>>> 192.168.1.1
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I launch sec like this:
>>>>>>>>>>>>> perl.exe sec -intevents -fromstart -notail -conf=rules.conf
>>>>>>>>>>>>> -input=muestra.txt -log=Log.log
>>>>>>>>>>>>>
>>>>>>>>>>>>> Output:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Mon Apr 18 17:34:05 2016: Deleting SEC internal context
>>>>>>>>>>>>> 'SEC_INTERNAL_EVENT'
>>>>>>>>>>>>> Mon Apr 18 17:34:05 2016: Creating SEC internal context
>>>>>>>>>>>>> 'SEC_INTERNAL_EVENT'
>>>>>>>>>>>>> Mon Apr 18 17:34:05 2016: Creating SEC internal event
>>>>>>>>>>>>> 'SEC_SHUTDOWN'
>>>>>>>>>>>>> Mon Apr 18 17:34:05 2016: Deleting SEC internal context
>>>>>>>>>>>>> 'SEC_INTERNAL_EVENT'
>>>>>>>>>>>>> Mon Apr 18 17:47:34 2016: SEC (Simple Event Correlator) 2.6.2
>>>>>>>>>>>>> Mon Apr 18 17:47:34 2016: Reading configuration from rules.conf
>>>>>>>>>>>>> Mon Apr 18 17:47:34 2016: Rule in rules.conf at line 3:
>>>>>>>>>>>>> Invalid action 'if %ret ( logonly SecModule loaded ) else ( eval
>>>>>>>>>>>>> %o exit(1)
>>>>>>>>>>>>> )'
>>>>>>>>>>>>> Mon Apr 18 17:47:34 2016: Rule in rules.conf at line 3:
>>>>>>>>>>>>> Invalid action list ' eval %ret (require "SecModule.pm");
>>>>>>>>>>>>> if %ret (
>>>>>>>>>>>>> logonly SecModule loaded ) else ( eval %o exit(1) ) '
>>>>>>>>>>>>> Mon Apr 18 17:47:34 2016: 3 rules loaded from rules.conf
>>>>>>>>>>>>> Mon Apr 18 17:47:34 2016: Opening input file muestra.txt
>>>>>>>>>>>>> Mon Apr 18 17:47:34 2016: set the 'inode' to fileID 1460981233
>>>>>>>>>>>>> for file muestra.txt
>>>>>>>>>>>>> Mon Apr 18 17:47:34 2016: Stdin connected to terminal, SIGINT
>>>>>>>>>>>>> can't be used for changing the logging level
>>>>>>>>>>>>> Mon Apr 18 17:47:34 2016: Creating SEC internal context
>>>>>>>>>>>>> 'SEC_INTERNAL_EVENT'
>>>>>>>>>>>>> Mon Apr 18 17:47:34 2016: Creating SEC internal event
>>>>>>>>>>>>> 'SEC_STARTUP'
>>>>>>>>>>>>> Mon Apr 18 17:47:34 2016: Calling code 'CODE(0x25fe2dc)' and
>>>>>>>>>>>>> setting variable '%o'
>>>>>>>>>>>>> Mon Apr 18 17:47:34 2016: Code 'CODE(0x25fe2dc)' runtime
>>>>>>>>>>>>> error: Undefined subroutine &SecModule::build_ip_table called at
>>>>>>>>>>>>> (eval 4)
>>>>>>>>>>>>> line 1.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Also i did like this
>>>>>>>>>>>>> perl.exe -c sec -intevents -fromstart -notail -conf=rules.conf
>>>>>>>>>>>>> -input=muestra.txt -log=Log.log
>>>>>>>>>>>>>
>>>>>>>>>>>>> Output:
>>>>>>>>>>>>>
>>>>>>>>>>>>> sec syntax ok
>>>>>>>>>>>>>
>>>>>>>>>>>>> Should i use execution options? Thank you for your support
>>>>>>>>>>>>> Risto!.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Regards.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
