Hi Risto,
Sorry for answering late. I was on holidays.
I want to precalculate how many files is going to open sec and compare with
a number of files that we think that sec should open and validate the input
paths because sometimes sec with strawberry perl doesn´t load all paths.
Thank you!.Regards.
2016-08-28 11:39 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
> hi Jaren,
> I noticed that sec has been started with the --notail and --fromstart
> options. This means that sec reads the input file from the beginning to the
> end, and when EOF is observed, it will exit. Therefore, given these command
> line options, sec can never reach the state "input file is open, and no new
> data has been observed in this file for N seconds". The --input-timeout and
> --timeout-script options only make sense in the --tail mode when you are
> tracking input files in real time for the appearance of new data. What are
> you actually trying to accomplish -- is your intention to scan already
> existing log files which are known to be complete and do not change during
> the processing?
> kind regards,
> risto
>
> 2016-08-25 16:16 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>
>> Hi,
>>
>> Sorry for the typo i haven´t realised that it didn´t copy the last line.
>>
>> I was trying to achive the goal and i don´t know why are not working.
>>
>>
>> First idea:
>>
>> perl C:\sec -intevents -fromstart -notail -conf=C:\event.conf
>> -input=C:\log.log -input-timeout=60 -timeout-script=C:\line.bat -log=Log.log
>>
>> Output:
>> The script executes as normal but the problem it doesn´t maintain till
>> 60sg and dont execute .bat script. Also i tried with a perl script and
>> haven´t executed.
>> i tested with rules that are working and we had the same result.
>>
>>
>> Second idea:
>>
>>
>> General input for all the rules:
>> _____________________________________________________________________
>> Mon Aug 8 14:54:42 2016: 2 rules loaded from C:\events.conf
>> Wed Aug 24 06:59:01 2016: Opening input file C:\sec.log
>> _____________________________________________________________________
>>
>>
>> First option:
>>
>> type=EventGroup2
>> ptype=RegExp
>> pattern = .{25}\s(\d+)\srules\sloaded\sfrom\s(.*)
>> count = create cHold 60
>> thresh=1
>> ptype2=RegExp
>> pattern2=.{25}\sOpening\sinput\sfile\s(.*)
>> thresh2=1
>> context2=cHold
>> window=60
>> action =delete cHold;create cHold 60;
>> end = write c:\alerts.log "Error in SEC files"
>> desc=acumula
>>
>> Output:
>> It executes the rules but dont wait till the context or rule finish. I
>> also used "set" to modify the context and same result as before.
>>
>> Second option:
>>
>> type=suppress
>> ptype=regexp
>> pattern=(.*SEC_STARTUP.*|.*SEC_PRE_RESTART.*|.*SEC_RESTART.*
>> |.*SEC_PRE_SOFTRESTART.*|.*SEC_SOFTRESTART .*|.*SEC_PRE_LOGROTATE.*|.*SEC
>> _LOGROTATE.*|.*SEC_SHUTDOWN.*)
>>
>> type=single
>> ptype=regexp
>> continue =dontcont
>> pattern=.{25}\s(\d+)\srules\sloaded\sfrom\s(.*)
>> desc=acumula
>> action=create cHold 60
>>
>>
>> type=single
>> ptype=regexp
>> continue =dontcont
>> pattern=.{25}\sOpening\sinput\sfile\s(.*)
>> context=cHold
>> desc=acumula
>> action=delete cHold;create cHold 60
>>
>> type=single
>> ptype=regexp
>> pattern=.*
>> context=!cHold
>> desc=acumula
>> action=write c:\alerts.log "Error loading files"
>>
>> Output:
>> It executes the rules but dont wait till the context or rule finish. I
>> also used "set" to modify the context and i had the same result as before.
>>
>> Third option:
>>
>> type=suppress
>> ptype=regexp
>> pattern=(.*SEC_STARTUP.*|.*SEC_PRE_RESTART.*|.*SEC_RESTART.*
>> |.*SEC_PRE_SOFTRESTART.*|.*SEC_SOFTRESTART .*|.*SEC_PRE_LOGROTATE.*|.*SEC
>> _LOGROTATE.*|.*SEC_SHUTDOWN.*)
>>
>> type=single
>> ptype=regexp
>> continue =dontcont
>> pattern=.{25}\s(\d+)\srules\sloaded\sfrom\s(.*)
>> desc=acumula
>> action=create cHold 60
>>
>>
>> type=single
>> ptype=regexp
>> continue =dontcont
>> pattern=.{25}\sOpening\sinput\sfile\s(.*)
>> context=cHold
>> desc=acumula
>> action=reset -1
>>
>> type=single
>> ptype=regexp
>> pattern=.*
>> context=!cHold
>> desc=acumula
>> action=write c:\alerts.log "Error loading files"
>>
>> Output:
>> It executes the rules but dont wait till the context or rule finish. I
>> also used "set" to modify the context and i had the same result as before.
>>
>>
>> I don´t know how to maintain the rule or context window alive till it
>> finish and write and detect that is not writing. Also is it posible to know
>> how many files is going to read when you use a "regex" as an input?
>> example:-input=c:\*.log
>> If you can calculate the number of files to being opened before you can
>> calculate the thresh of the rule and stop when it is finish.
>>
>> Thanks for you help Risto!. Regards.
>>
>>
>> 2016-08-23 12:47 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>
>>>
>>>
>>> 2016-08-23 11:25 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>>>
>>>> Hi,
>>>>
>>>> I have tested on windows server 2008 + Strawberry perl and it is not
>>>> working as expected because it doesn´t run script option.
>>>>
>>>
>>> These options should be supported on windows. How have you specified
>>> them on command line and have you checked sec error log for relevant error
>>> messages?
>>>
>>>
>>>>
>>>> I tried the second option and i don´t know what´s happen but the rule
>>>> doesn´t wait till the context dissapear and do the action in the "end"
>>>> block code. Any ideas?
>>>>
>>>
>>>
>>> The EventGroup2 rule you have specified lacks the 'desc' field and
>>> produces the following error message in the sec log:
>>>
>>> Rule in test-eventgroup.conf at line 1: Keyword 'desc' missing (needed
>>> for EVENTGROUP2 rule)
>>>
>>> Since the rule definition is invalid, it is not loaded by sec, and that
>>> might be one of the reasons why the rule appears to be not working.
>>>
>>> Also, the contexts that are created in the rule definition do not
>>> influence the lifetime of event correlation operations started by this
>>> rule. So if you create the context cHold in the EventGroup2 rule and adjust
>>> its lifetime, the context cHold is a completely independent entity and does
>>> not prolong the lifetime of the counting operation started by this rule.
>>> The lifetime of the operation is fully determined by the occurrence times
>>> of events that match the 'pattern' and 'pattern2' fields.
>>>
>>> regards,
>>> risto
>>>
>>>
>>>>
>>>> Rule:
>>>> type=EventGroup2
>>>> ptype=RegExp
>>>> pattern = .*rules.*
>>>> count = create cHold 60
>>>> thresh=1
>>>> ptype2=RegExp
>>>> pattern2=.*Opening.*
>>>> thresh2=1
>>>> window=60
>>>> action =set cHold 60;reset -1
>>>> end = write c:\alerts.log "Error in SEC files"
>>>>
>>>> Thank you Risto!.Regards.
>>>>
>>>
>>>
>>
>
------------------------------------------------------------------------------
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
