hi Jaren,
I noticed that sec has been started with the --notail and --fromstart
options. This means that sec reads the input file from the beginning to the
end, and when EOF is observed, it will exit. Therefore, given these command
line options, sec can never reach the state "input file is open, and no new
data has been observed in this file for N seconds". The --input-timeout and
--timeout-script options only make sense in the --tail mode when you are
tracking input files in real time for the appearance of new data. What are
you actually trying to accomplish -- is your intention to scan already
existing log files which are known to be complete and do not change during
the processing?
kind regards,
risto
2016-08-25 16:16 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
> Hi,
>
> Sorry for the typo i haven´t realised that it didn´t copy the last line.
>
> I was trying to achive the goal and i don´t know why are not working.
>
>
> First idea:
>
> perl C:\sec -intevents -fromstart -notail -conf=C:\event.conf
> -input=C:\log.log -input-timeout=60 -timeout-script=C:\line.bat -log=Log.log
>
> Output:
> The script executes as normal but the problem it doesn´t maintain till
> 60sg and dont execute .bat script. Also i tried with a perl script and
> haven´t executed.
> i tested with rules that are working and we had the same result.
>
>
> Second idea:
>
>
> General input for all the rules:
> _____________________________________________________________________
> Mon Aug 8 14:54:42 2016: 2 rules loaded from C:\events.conf
> Wed Aug 24 06:59:01 2016: Opening input file C:\sec.log
> _____________________________________________________________________
>
>
> First option:
>
> type=EventGroup2
> ptype=RegExp
> pattern = .{25}\s(\d+)\srules\sloaded\sfrom\s(.*)
> count = create cHold 60
> thresh=1
> ptype2=RegExp
> pattern2=.{25}\sOpening\sinput\sfile\s(.*)
> thresh2=1
> context2=cHold
> window=60
> action =delete cHold;create cHold 60;
> end = write c:\alerts.log "Error in SEC files"
> desc=acumula
>
> Output:
> It executes the rules but dont wait till the context or rule finish. I
> also used "set" to modify the context and same result as before.
>
> Second option:
>
> type=suppress
> ptype=regexp
> pattern=(.*SEC_STARTUP.*|.*SEC_PRE_RESTART.*|.*SEC_RESTART.*|.*SEC_PRE_
> SOFTRESTART.*|.*SEC_SOFTRESTART .*|.*SEC_PRE_LOGROTATE.*|.*
> SEC_LOGROTATE.*|.*SEC_SHUTDOWN.*)
>
> type=single
> ptype=regexp
> continue =dontcont
> pattern=.{25}\s(\d+)\srules\sloaded\sfrom\s(.*)
> desc=acumula
> action=create cHold 60
>
>
> type=single
> ptype=regexp
> continue =dontcont
> pattern=.{25}\sOpening\sinput\sfile\s(.*)
> context=cHold
> desc=acumula
> action=delete cHold;create cHold 60
>
> type=single
> ptype=regexp
> pattern=.*
> context=!cHold
> desc=acumula
> action=write c:\alerts.log "Error loading files"
>
> Output:
> It executes the rules but dont wait till the context or rule finish. I
> also used "set" to modify the context and i had the same result as before.
>
> Third option:
>
> type=suppress
> ptype=regexp
> pattern=(.*SEC_STARTUP.*|.*SEC_PRE_RESTART.*|.*SEC_RESTART.*|.*SEC_PRE_
> SOFTRESTART.*|.*SEC_SOFTRESTART .*|.*SEC_PRE_LOGROTATE.*|.*
> SEC_LOGROTATE.*|.*SEC_SHUTDOWN.*)
>
> type=single
> ptype=regexp
> continue =dontcont
> pattern=.{25}\s(\d+)\srules\sloaded\sfrom\s(.*)
> desc=acumula
> action=create cHold 60
>
>
> type=single
> ptype=regexp
> continue =dontcont
> pattern=.{25}\sOpening\sinput\sfile\s(.*)
> context=cHold
> desc=acumula
> action=reset -1
>
> type=single
> ptype=regexp
> pattern=.*
> context=!cHold
> desc=acumula
> action=write c:\alerts.log "Error loading files"
>
> Output:
> It executes the rules but dont wait till the context or rule finish. I
> also used "set" to modify the context and i had the same result as before.
>
>
> I don´t know how to maintain the rule or context window alive till it
> finish and write and detect that is not writing. Also is it posible to know
> how many files is going to read when you use a "regex" as an input?
> example:-input=c:\*.log
> If you can calculate the number of files to being opened before you can
> calculate the thresh of the rule and stop when it is finish.
>
> Thanks for you help Risto!. Regards.
>
>
> 2016-08-23 12:47 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>
>>
>>
>> 2016-08-23 11:25 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>
>>> Hi,
>>>
>>> I have tested on windows server 2008 + Strawberry perl and it is not
>>> working as expected because it doesn´t run script option.
>>>
>>
>> These options should be supported on windows. How have you specified them
>> on command line and have you checked sec error log for relevant error
>> messages?
>>
>>
>>>
>>> I tried the second option and i don´t know what´s happen but the rule
>>> doesn´t wait till the context dissapear and do the action in the "end"
>>> block code. Any ideas?
>>>
>>
>>
>> The EventGroup2 rule you have specified lacks the 'desc' field and
>> produces the following error message in the sec log:
>>
>> Rule in test-eventgroup.conf at line 1: Keyword 'desc' missing (needed
>> for EVENTGROUP2 rule)
>>
>> Since the rule definition is invalid, it is not loaded by sec, and that
>> might be one of the reasons why the rule appears to be not working.
>>
>> Also, the contexts that are created in the rule definition do not
>> influence the lifetime of event correlation operations started by this
>> rule. So if you create the context cHold in the EventGroup2 rule and adjust
>> its lifetime, the context cHold is a completely independent entity and does
>> not prolong the lifetime of the counting operation started by this rule.
>> The lifetime of the operation is fully determined by the occurrence times
>> of events that match the 'pattern' and 'pattern2' fields.
>>
>> regards,
>> risto
>>
>>
>>>
>>> Rule:
>>> type=EventGroup2
>>> ptype=RegExp
>>> pattern = .*rules.*
>>> count = create cHold 60
>>> thresh=1
>>> ptype2=RegExp
>>> pattern2=.*Opening.*
>>> thresh2=1
>>> window=60
>>> action =set cHold 60;reset -1
>>> end = write c:\alerts.log "Error in SEC files"
>>>
>>> Thank you Risto!.Regards.
>>>
>>
>>
>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
