hi Jaren,
2016-07-22 13:29 GMT+03:00 Jaren Peich <[email protected]>:
> Thank you for your tips, i haven´t realised.
>
> The problem that i have it is i want to validate the context with the perl
> function.I only want to process current date inputs comparing system date
> and input date and analyse the events that ocurred this date.
>
> Jul 19 16:02:42 --->I dont want to analyse
> Jul 22 11:07:42 --->I need to analyse
> Jul 21 12:08:42 --->I dont want to analyse
> Jul 22 10:07:42 --->I need to analyse
>
> I have to check the date of the event with the prel function and validate
> the context, this is the way that i thought. Is this possible?
>
it is possible to accomplish this, since the Suppress rule returns true if
the current date is smaller that the current date. After having another
look at the rule, it would still benefit from couple of changes -- instead
of TRUE and FALSE, you could rather use 1 and 0, since FALSE is treated as
a non-empty string and actually evaluates true. Also, you could make the
date verification a bit tighter and return false only if the day, month and
year are matching the system clock readings. So instead of having the
following code block
($diaSem,$mes,$dia,$hora,$anno)=split(" ",$_[0]);\
($mes,$dia,$hora,$anno)=split(" ",$_[0]);\
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);\
$mon=$mon+1;\
$year=$year+1900;\
$wday=$wday+1;\
print "\nSystem:$mday###$mon###$year\n";\
print "\nLog:$dia##$mes##$monnum{$mes}\n";\
if (!defined($anno)) { $anno = $year; } \
if($dia<$mday && $monnum{$mes}==$mon && $anno == $year)\
{\
return 1;\
}else{\
return 0;\
}})
try to use the following code block:
($diaSem,$mes,$dia,$hora,$anno)=split(" ",$_[0]);\
($mes,$dia,$hora,$anno)=split(" ",$_[0]);\
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);\
$mon=$mon+1;\
$year=$year+1900;\
$wday=$wday+1;\
if (!defined($anno)) { $anno = $year; } \
return ($dia != $mday || $monnum{$mes} != $mon || $anno != $year); \
})
Since this contextual expression evaluates true for all past and future
dates, the Suppress rule will not pass events with such dates to further
rules. The only events which the Suppress rule does not match are the ones
with the current date, and therefore further rules can process them.
hope this helps,
risto
>
> Regards.
>
> 2016-07-21 14:17 GMT+02:00 Risto Vaarandi <[email protected]>:
>
>> hi Jaren,
>> what do you mean by validating the Suppress rule -- did you mean
>> debugging it, in order to identify potential faults in the rule? I had a
>> quick look into the rule and actually noticed few things which could be
>> fixed.
>>
>> Apparently, the Suppress rule assumes that the $+{date} match variable
>> holds a date in the following format: Jul 19 16:07:42
>> (The same format is used for timestamps in BSD syslog messages.)
>>
>> However, the Perl code in the context expression of the Suppress rule
>> parses this timestamp in the following way:
>>
>> ($diaSem,$mes,$dia,$hora,$anno)=split(" ",$_[0]);
>>
>> This means that $diaSem will be set to month (e.g., Jul), $mes will be
>> set to day of the month (e.g., 19), and $dia will be set to
>> hours-minutes-seconds (e.g., 16:07:42). As for $hora and $anno, day will
>> remain uninitialized. This is probably not what you want, and to cope with
>> BSD syslog timestamps, the following parsing statement is probably a better
>> option:
>>
>> ($mes,$dia,$hora,$anno)=split(" ",$_[0]);
>>
>> Nevertheless, that would still leave $anno variable undefined, since the
>> timestamp does not hold the year information. To fix this, you could simply
>> set $anno to the current year number if it wasn't set by the parsing
>> statement. For example (the relevant statement is in the third line):
>>
>> print "\nSystem:$mday###$mon###$year\n";\
>> print "\nLog:$dia##$mes##$monnum{$mes}\n";\
>> if (!defined($anno)) { $anno = $year; } \
>> if($dia<$mday && $monnum{$mes}==$mon && $anno == $year)\
>>
>> I think the Suppress rule should now work in a better way for you, and it
>> should be able to catch events for previous days of the same month.
>>
>> kind regards,
>> risto
>>
>>
>> 2016-07-21 13:48 GMT+03:00 Jaren Peich <[email protected]>:
>>
>>> Hi risto,
>>>
>>> I have a doubt about a Suppress rule.
>>>
>>> Scene:
>>>
>>> Input:Jul 19 16:07:42 down
>>>
>>> File 1_Extract_field.conf:
>>>
>>> type = Jump
>>> ptype = RegExp
>>> desc = $0
>>> continue = takenext
>>> pattern = (\w+\s\d+\s\d+:\d+:\d+)\s(\w+)
>>> varmap = rule;date=1;action=2;
>>> cfset = rulesOP
>>>
>>>
>>> File 2_Filter_Conditions:
>>>
>>> type = Options
>>> joincfset = rulesOP
>>> procallin = no
>>>
>>>
>>> type = Suppress
>>> ptype = Cached
>>> pattern = rule
>>> context = $+{date} ->(sub{%monnum = ('Jan' => 1, 'Feb' => 2, 'Mar' =>
>>> 3, 'Apr' => 4, 'May' => 5, 'Jun' => 6, 'Jul' => 7, 'Aug' => 8, 'Sep' => 9,
>>> 'Oct' => 10, 'Nov' => 11, 'Dec' => 12);\
>>> ($diaSem,$mes,$dia,$hora,$anno)=split(" ",$_[0]);\
>>> my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
>>> localtime(time);\
>>> $mon=$mon+1;\
>>> $year=$year+1900;\
>>> $wday=$wday+1;\
>>> print "\nSystem:$mday###$mon###$year\n";\
>>> print "\nLog:$dia##$mes##$monnum{$mes}\n";\
>>> if($dia<$mday && $monnum{$mes}==$mon && $anno == $year)\
>>> {\
>>> return TRUE;\
>>> }else{\
>>> return FALSE;\
>>> }})
>>>
>>> type = Jump
>>> ptype = Cached
>>> continue = Takenext
>>> pattern = rule
>>> context = $+{action} ->(sub{$_[0] =~ m/down/gi})
>>> cfset = rule-Alert
>>>
>>> File 3_Alert_Launch:
>>>
>>> type = Options
>>> joincfset = rule-Alert
>>> procallin = no
>>>
>>>
>>> type = SingleWithThreshold
>>> ptype = Cached
>>> continue = TakeNext
>>> pattern = rule
>>> window = 300
>>> thresh = 10
>>> desc = $+{event_date}
>>> action = eval %o (print "Launch Alert";);
>>>
>>>
>>> Problem: I don´t know how to validate o not to validate the suppress
>>> rule depending the if code.Suppress or not suppress the input.
>>>
>>> Thank you in advance!. Regards Risto.
>>>
>>>
>>>
>>
>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
