Hello John,
You were indeed correct -- I missed that when initially going through the
documentation!! That fixed it!
Greatly appreciated!
> On Mar 27, 2017, at 11:33 AM, John P. Rouillard <rou...@cs.umb.edu> wrote:
>
> Hello Rahni:
>
> In message <6369f9d0-004b-4b6c-8186-4dcb4a165...@yahoo.com>,
> Yahoo writes:
>> I'm working on monitoring a /var/log/messages, which is updated nearly every
>> 10 seconds with a message from a HADR application.
>>
>> I have the context set on that file to /var/log/messages, and I have
>> a window set to 1 day in seconds, but SEC is not ignoring subsequent
>> matches. Instead, I am getting the action fired off just as often as
>> the message is appearing in /var/log/messages....
>
> Can I assume $1 below is the timestamp of the event? If so:
>
>> Here is my definition:
>>
>> type=SingleWithSuppress
>> ptype=RegExp
>> pattern=.*([0-9]{2}:[0-9]{2}:[0-9]{2}).*hadr.*\sReturning\s1.*
>> context=[_FILE_EVENT_/var/log/messages]
>> desc=As of $1, this host is currently primary.
> ^^^^^
>
> I think this is the problem.
>
>> action=pipe '$0%.nl --- %s --- $+{_inputsrc}' /bin/cat >>
>> /var/log/failover-status_sec
>> window=86400
>>
>> No matter what value I put for the window, it is ignored...
>
> Correlations with windows are scoped by the description
> string. I.E. if you generate a new description string a new
> correlation is created. You can see the running correlations by
> sending a kill -USR1 to the sec process (see the man page for
> details). I'll bet if you do that you will see one correlation
> starting every 10 seconds. My guess is you want to capture the host
> name and use that in your description string and not the timestamp.
>
> See the man page and look for the section:
>
> Rules and Event Correlation Operations
>
> Pay attention to the sentence:
>
> In order to distinguish one event correlation operation from
> another, SEC assigns a key to every operation that is composed
> from the rule file name, the rule ID, and the event description
> string that is derived from the desc parameter of the rule
> definition (by replacing variables with their values).
>
> Hope this helps. Have a great day.
>
> --
> -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
