hi Jaren,
what do you mean by validating the Suppress rule -- did you mean debugging
it, in order to identify potential faults in the rule? I had a quick look
into the rule and actually noticed few things which could be fixed.
Apparently, the Suppress rule assumes that the $+{date} match variable
holds a date in the following format: Jul 19 16:07:42
(The same format is used for timestamps in BSD syslog messages.)
However, the Perl code in the context expression of the Suppress rule
parses this timestamp in the following way:
($diaSem,$mes,$dia,$hora,$anno)=split(" ",$_[0]);
This means that $diaSem will be set to month (e.g., Jul), $mes will be set
to day of the month (e.g., 19), and $dia will be set to
hours-minutes-seconds (e.g., 16:07:42). As for $hora and $anno, day will
remain uninitialized. This is probably not what you want, and to cope with
BSD syslog timestamps, the following parsing statement is probably a better
option:
($mes,$dia,$hora,$anno)=split(" ",$_[0]);
Nevertheless, that would still leave $anno variable undefined, since the
timestamp does not hold the year information. To fix this, you could simply
set $anno to the current year number if it wasn't set by the parsing
statement. For example (the relevant statement is in the third line):
print "\nSystem:$mday###$mon###$year\n";\
print "\nLog:$dia##$mes##$monnum{$mes}\n";\
if (!defined($anno)) { $anno = $year; } \
if($dia<$mday && $monnum{$mes}==$mon && $anno == $year)\
I think the Suppress rule should now work in a better way for you, and it
should be able to catch events for previous days of the same month.
kind regards,
risto
2016-07-21 13:48 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
> Hi risto,
>
> I have a doubt about a Suppress rule.
>
> Scene:
>
> Input:Jul 19 16:07:42 down
>
> File 1_Extract_field.conf:
>
> type = Jump
> ptype = RegExp
> desc = $0
> continue = takenext
> pattern = (\w+\s\d+\s\d+:\d+:\d+)\s(\w+)
> varmap = rule;date=1;action=2;
> cfset = rulesOP
>
>
> File 2_Filter_Conditions:
>
> type = Options
> joincfset = rulesOP
> procallin = no
>
>
> type = Suppress
> ptype = Cached
> pattern = rule
> context = $+{date} ->(sub{%monnum = ('Jan' => 1, 'Feb' => 2, 'Mar' => 3,
> 'Apr' => 4, 'May' => 5, 'Jun' => 6, 'Jul' => 7, 'Aug' => 8, 'Sep' => 9,
> 'Oct' => 10, 'Nov' => 11, 'Dec' => 12);\
> ($diaSem,$mes,$dia,$hora,$anno)=split(" ",$_[0]);\
> my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
> localtime(time);\
> $mon=$mon+1;\
> $year=$year+1900;\
> $wday=$wday+1;\
> print "\nSystem:$mday###$mon###$year\n";\
> print "\nLog:$dia##$mes##$monnum{$mes}\n";\
> if($dia<$mday && $monnum{$mes}==$mon && $anno == $year)\
> {\
> return TRUE;\
> }else{\
> return FALSE;\
> }})
>
> type = Jump
> ptype = Cached
> continue = Takenext
> pattern = rule
> context = $+{action} ->(sub{$_[0] =~ m/down/gi})
> cfset = rule-Alert
>
> File 3_Alert_Launch:
>
> type = Options
> joincfset = rule-Alert
> procallin = no
>
>
> type = SingleWithThreshold
> ptype = Cached
> continue = TakeNext
> pattern = rule
> window = 300
> thresh = 10
> desc = $+{event_date}
> action = eval %o (print "Launch Alert";);
>
>
> Problem: I donĀ“t know how to validate o not to validate the suppress rule
> depending the if code.Suppress or not suppress the input.
>
> Thank you in advance!. Regards Risto.
>
>
>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
