Could it be because the two patterns are identical thus you don't have a "recovered" string for the second to match on.
I haven't dug into this in years so I may be mistaken. Regards, Jon Frazier From: Tom Damon via Simple-evcorr-users <[email protected]> Sent: Thursday, April 11, 2024 12:00 PM To: [email protected] Subject: [External] [Simple-evcorr-users] Problem with action2 CAUTION: This email originated from outside of GM Financial and may contain unsafe content. Hello list, I'm trying to get this rule working. The action works, but action2 does not. What am I missing? type=PairWithWindow ptype=regexp pattern=host.(\S+)\s+subtype=\S+\smessage=.*User-ID-Agent\s+(\S+)\s(\S+): desc=(WARNING) $1 is $3 from $2 action=pipe 'sending' /etc/logzilla/scripts/sec.sh '%s' ptype2=regexp pattern2=host.(\S+)\s+subtype=\S+\smessage=.*User-ID-Agent\s+(\S+)\s(\S+): desc2=(NOTICE) You seeing this means, we have seen a recovery event. action2=pipe 'sending' /etc/logzilla/scripts/sec.sh 'recovered' window=5 Thanks, Tom Damon LogZilla
_______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
