Hi,
I want to get all email from the same domain with the same subjects and
check if they have been delivered(status=delivered) with a thresh. The
problem is that the email log is split in different lines. The email comes
with more lines but i´m only interested to get this(Log file lines).
I have made 2 approches but i can´t validate domain variable in varmap with
their aliaes to attach different context to a general context and validate
all rule.
desc field must be "subject" variable.
I´m using SEC 2.6.2 with strawberry perl.
Log file(Sometimes could come disordered):
Mail 1:from=s...@sec.com
Mail 1:subject=Sec Configuration Rule
Mail 1:status=delivered
Mail 2:from=pin...@sec.com
Mail 2:subject=Sec Configuration Rule
Mail 2:status=delivered
Mail 3:from=plas...@sec.com
Mail 3:subject=Sec Configuration Rule
Mail 3:status=delivered
Mail 4:from=plas...@panik.com
Mail 4:subject=Sec Configuration Rule
Mail 4:status=delivered
Mail 4:from=plas...@paniki.com
Mail 4:subject=Sec Configuration Rule
Mail 4:status=Notdelivered
________________________________________________________________________________
First idea:
type = Single
ptype = RegExp
continue = Takenext
context= Domain_$+{domain}
desc = $0
pattern = Mail\s(\d+)\:from\=(.*@(.*))
varmap= mid=1; email=2;domain=3;
action = alias Domain_$+{domain} HIT_Domain_$+{mid};fill
Domain_$+{domain} $+{domain}
type = Single
ptype = RegExp
continue = Takenext
context= !Domain_$+{domain}
desc = $0
pattern = Mail\s(\d+)\:from\=(.*@(.*))
varmap= mid=1; email=2;domain=3;
action = create Domain_$+{domain} 86400; alias Domain_$+{domain}
HIT_Domain_$+{mid};
type=EventGroup2
ptype=regexp
pattern=Mail\s(\d+)\:subject\=(.*)
varmap= mid=1; subject=2
context = HIT_Domain_$+{mid}
thresh=2
count=alias Domain_$+{domain} Domain_Subject_$+{mid};
ptype2=regexp
pattern2=Mail\s(\d+)\:status\=delivered
varmap2= mid=1;
context2 = Domain_Subject_$+{mid} && HIT_Domain_$+{mid}
thresh=2
desc=Domain_$+{subject}
action= write - "Test String"
window=86400
_______________________________________________________________________________
Second idea:
type=EventGroup4
ptype = RegExp
continue = Takenext
context= Domain_$+{domain}
desc = $0
pattern = Mail\s(\d+)\:from\=(.*@(.*))
varmap= mid=1; email=2;domain=3;
count = alias Domain_$+{domain} HIT_Domain_$+{mid};
ptype2 = RegExp
continue2 = Takenext
context2= !Domain_$+{domain}
pattern2 = Mail\s(\d+)\:from\=(.*@(.*))
varmap2= mid=1; email=2;domain=3;
count2 = create Domain_$+{domain} 86400; alias Domain_$+{domain}
HIT_Domain_$+{mid};
ptype3=regexp
pattern3=Mail\s(\d+)\:subject\=(.*)
varmap3= mid=1; subject=2
context3 = HIT_Domain_$+{mid}
thresh3=2
count3=alias DOMAIN_$+{domain} Domain_Subject_$+{mid};
ptype4=regexp
pattern4=Mail\s(\d+)\:status\=delivered
varmap4= mid=1;
context4 = Domain_Subject_$+{mid} && HIT_Domain_$+{mid}
thresh4=2
desc=Domain_$+{subject}
action= write - "Test String"
window=86400
Any ideas?
Thank you. Regards.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
