2016-08-23 11:25 GMT+03:00 Jaren Peich <burkol...@gmail.com>: > Hi, > > I have tested on windows server 2008 + Strawberry perl and it is not > working as expected because it doesn´t run script option. >
These options should be supported on windows. How have you specified them on command line and have you checked sec error log for relevant error messages? > > I tried the second option and i don´t know what´s happen but the rule > doesn´t wait till the context dissapear and do the action in the "end" > block code. Any ideas? > The EventGroup2 rule you have specified lacks the 'desc' field and produces the following error message in the sec log: Rule in test-eventgroup.conf at line 1: Keyword 'desc' missing (needed for EVENTGROUP2 rule) Since the rule definition is invalid, it is not loaded by sec, and that might be one of the reasons why the rule appears to be not working. Also, the contexts that are created in the rule definition do not influence the lifetime of event correlation operations started by this rule. So if you create the context cHold in the EventGroup2 rule and adjust its lifetime, the context cHold is a completely independent entity and does not prolong the lifetime of the counting operation started by this rule. The lifetime of the operation is fully determined by the occurrence times of events that match the 'pattern' and 'pattern2' fields. regards, risto > > Rule: > type=EventGroup2 > ptype=RegExp > pattern = .*rules.* > count = create cHold 60 > thresh=1 > ptype2=RegExp > pattern2=.*Opening.* > thresh2=1 > window=60 > action =set cHold 60;reset -1 > end = write c:\alerts.log "Error in SEC files" > > Thank you Risto!.Regards. >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
