2016-07-22 14:54 GMT+03:00 Risto Vaarandi <[email protected]>:
> hi Jaren,
>
>
> 2016-07-22 13:29 GMT+03:00 Jaren Peich <[email protected]>:
>
>> Thank you for your tips, i haven´t realised.
>>
>> The problem that i have it is i want to validate the context with the
>> perl function.I only want to process current date inputs comparing system
>> date and input date and analyse the events that ocurred this date.
>>
>> Jul 19 16:02:42 --->I dont want to analyse
>> Jul 22 11:07:42 --->I need to analyse
>> Jul 21 12:08:42 --->I dont want to analyse
>> Jul 22 10:07:42 --->I need to analyse
>>
>> I have to check the date of the event with the prel function and validate
>> the context, this is the way that i thought. Is this possible?
>>
>
>
> ...
>
> try to use the following code block:
>
> ($diaSem,$mes,$dia,$hora,$anno)=split(" ",$_[0]);\
>
you actually don't need the previous line -- I mistakenly copied-and-pasted
it into the rule. Didn't notice it immediately, though, since the following
statement overwrites all variables with correct values :)
risto
> ($mes,$dia,$hora,$anno)=split(" ",$_[0]);\
> my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
> localtime(time);\
> $mon=$mon+1;\
> $year=$year+1900;\
> $wday=$wday+1;\
> if (!defined($anno)) { $anno = $year; } \
> return ($dia != $mday || $monnum{$mes} != $mon || $anno != $year); \
> })
>
> Since this contextual expression evaluates true for all past and future
> dates, the Suppress rule will not pass events with such dates to further
> rules. The only events which the Suppress rule does not match are the ones
> with the current date, and therefore further rules can process them.
>
> hope this helps,
> risto
>
>
>>
>> Regards.
>>
>> 2016-07-21 14:17 GMT+02:00 Risto Vaarandi <[email protected]>:
>>
>>> hi Jaren,
>>> what do you mean by validating the Suppress rule -- did you mean
>>> debugging it, in order to identify potential faults in the rule? I had a
>>> quick look into the rule and actually noticed few things which could be
>>> fixed.
>>>
>>> Apparently, the Suppress rule assumes that the $+{date} match variable
>>> holds a date in the following format: Jul 19 16:07:42
>>> (The same format is used for timestamps in BSD syslog messages.)
>>>
>>> However, the Perl code in the context expression of the Suppress rule
>>> parses this timestamp in the following way:
>>>
>>> ($diaSem,$mes,$dia,$hora,$anno)=split(" ",$_[0]);
>>>
>>> This means that $diaSem will be set to month (e.g., Jul), $mes will be
>>> set to day of the month (e.g., 19), and $dia will be set to
>>> hours-minutes-seconds (e.g., 16:07:42). As for $hora and $anno, day will
>>> remain uninitialized. This is probably not what you want, and to cope with
>>> BSD syslog timestamps, the following parsing statement is probably a better
>>> option:
>>>
>>> ($mes,$dia,$hora,$anno)=split(" ",$_[0]);
>>>
>>> Nevertheless, that would still leave $anno variable undefined, since the
>>> timestamp does not hold the year information. To fix this, you could simply
>>> set $anno to the current year number if it wasn't set by the parsing
>>> statement. For example (the relevant statement is in the third line):
>>>
>>> print "\nSystem:$mday###$mon###$year\n";\
>>> print "\nLog:$dia##$mes##$monnum{$mes}\n";\
>>> if (!defined($anno)) { $anno = $year; } \
>>> if($dia<$mday && $monnum{$mes}==$mon && $anno == $year)\
>>>
>>> I think the Suppress rule should now work in a better way for you, and
>>> it should be able to catch events for previous days of the same month.
>>>
>>> kind regards,
>>> risto
>>>
>>>
>>> 2016-07-21 13:48 GMT+03:00 Jaren Peich <[email protected]>:
>>>
>>>> Hi risto,
>>>>
>>>> I have a doubt about a Suppress rule.
>>>>
>>>> Scene:
>>>>
>>>> Input:Jul 19 16:07:42 down
>>>>
>>>> File 1_Extract_field.conf:
>>>>
>>>> type = Jump
>>>> ptype = RegExp
>>>> desc = $0
>>>> continue = takenext
>>>> pattern = (\w+\s\d+\s\d+:\d+:\d+)\s(\w+)
>>>> varmap = rule;date=1;action=2;
>>>> cfset = rulesOP
>>>>
>>>>
>>>> File 2_Filter_Conditions:
>>>>
>>>> type = Options
>>>> joincfset = rulesOP
>>>> procallin = no
>>>>
>>>>
>>>> type = Suppress
>>>> ptype = Cached
>>>> pattern = rule
>>>> context = $+{date} ->(sub{%monnum = ('Jan' => 1, 'Feb' => 2, 'Mar' =>
>>>> 3, 'Apr' => 4, 'May' => 5, 'Jun' => 6, 'Jul' => 7, 'Aug' => 8, 'Sep' => 9,
>>>> 'Oct' => 10, 'Nov' => 11, 'Dec' => 12);\
>>>> ($diaSem,$mes,$dia,$hora,$anno)=split(" ",$_[0]);\
>>>> my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
>>>> localtime(time);\
>>>> $mon=$mon+1;\
>>>> $year=$year+1900;\
>>>> $wday=$wday+1;\
>>>> print "\nSystem:$mday###$mon###$year\n";\
>>>> print "\nLog:$dia##$mes##$monnum{$mes}\n";\
>>>> if($dia<$mday && $monnum{$mes}==$mon && $anno == $year)\
>>>> {\
>>>> return TRUE;\
>>>> }else{\
>>>> return FALSE;\
>>>> }})
>>>>
>>>> type = Jump
>>>> ptype = Cached
>>>> continue = Takenext
>>>> pattern = rule
>>>> context = $+{action} ->(sub{$_[0] =~ m/down/gi})
>>>> cfset = rule-Alert
>>>>
>>>> File 3_Alert_Launch:
>>>>
>>>> type = Options
>>>> joincfset = rule-Alert
>>>> procallin = no
>>>>
>>>>
>>>> type = SingleWithThreshold
>>>> ptype = Cached
>>>> continue = TakeNext
>>>> pattern = rule
>>>> window = 300
>>>> thresh = 10
>>>> desc = $+{event_date}
>>>> action = eval %o (print "Launch Alert";);
>>>>
>>>>
>>>> Problem: I don´t know how to validate o not to validate the suppress
>>>> rule depending the if code.Suppress or not suppress the input.
>>>>
>>>> Thank you in advance!. Regards Risto.
>>>>
>>>>
>>>>
>>>
>>
>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
