Hi Risto,
My name is Agustín, I'm working with the SEC and I have a problem that I can't
solve.
I have different events such as:
EVENT_TYPE_A FROM 1.1.1.1
EVENT_TYPE_A FROM 2.2.2.2
EVENT_TYPE_B FROM 1.1.1.1
EVENT_TYPE_B FROM 2.2.2.2
EVENT_TYPE_C FROM 1.1.1.1
EVENT_TYPE_C FROM 2.2.2.2
EVENT_TYPE_D FROM 2.2.2.2
FINISH
And I want to get SEC to correlate the events for each IP when the FINISH event
comes in with the following logic:
* For each IP:
* (INPUT FOR SAME IP)
* EVENT_TYPE_A && EVENT_TYPE_B
* (OUPUT)
* MATCH_1 FOR IP
* (INPUT FOR SAME IP)
* EVENT_TYPE_A && EVENT_TYPE_B && EVENT_TYPE_C
* (OUPUT)
* MATCH_2 FOR IP
* (INPUT FOR SAME IP)
* EVENT_TYPE_A || EVENT_TYPE_B && EVENT_TYPE_D
* (OUPUT)
* MATCH_3 FOR IP
To begin with, I've tried the following:
type=EventGroup3
ptype=RegExp
pattern=( EVENT_TYPE_A )(.*)
varmap= IP=2;
context= !EVENT_TYPE_A _$+{IP}
count=create EVENT_TYPE_A _$+{IP}
ptype2=RegExp
pattern2= ( EVENT_TYPE_B )(.*)
varmap2= IP=2;
context2=!EVENT_TYPE_B $+{IP}
count2=create EVENT_TYPE_B _$+{IP}
ptype3=RegExp
pattern3=FINISH
desc=TEST
action=logonly MATCH_1 FOR $+{IP}
window=60
When I try to enter the following events:
EVENT_TYPE_A 1.1.1.1
EVENT_TYPE_A 2.2.2.2
EVENT_TYPE_B 1.1.1.1
EVENT_TYPE_B 2.2.2.2
FINISH
I have the next output:
MATCH_1 FOR 1.1.1.1
And I want to get the following output:
MATCH_1 FOR 1.1.1.1
MATCH_1 FOR 2.2.2.2
How can I solve this?
Thank you very much!
Agustín
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
