2016-09-09 1:10 GMT+03:00 Ganji, Shashirekha Yadav <shash...@qualcomm.com>: > Risto, > > > > Yes,all the rules are in the same file and when I tried running the whole > file as configuration file and provided just a dummy file that had the > exact event,it still works. > > > > Pattern gets logged as Research pattern only when it is running as > daemon.Just thinking if there is a possibility of hidden junk characters in > the event??
That is one of the explanations. There is also one other opportunity -- if the PairWithWindow rule was introduced recently, maybe it wasn't simply loaded with the ABRT signal? kind regards, risto > > > > Thanks, > > Shashi > > > > From: Risto Vaarandi [mailto:risto.vaara...@gmail.com] > Sent: Thursday, September 08, 2016 2:27 PM > > > To: Ganji, Shashirekha Yadav <shash...@qualcomm.com> > Cc: simple-evcorr-users@lists.sourceforge.net > Subject: Re: [Simple-evcorr-users] Pairwithwindow rule > > > > hi Shashi, > > are all your rules in the same file, and is the event a single-line event > that doesn't contain any newlines? Since the event matching process depends > on the order of rules, and rules can be skipped with continue=goto > statements, seeing the entire rule file would be helpful. Also, have you > tried testing the ruleset interactively, in order to see if the > PairWithWindow rule matches the event? > > kind regards, > > risto > > > ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
