No problem.
Regards, Jon Frazier From: Tom Damon <[email protected]> Sent: Thursday, April 11, 2024 4:00 PM To: Frazier, Jon <[email protected]>; [email protected] Subject: [External] [Simple-evcorr-users] Problem with action2 CAUTION: This email originated from outside of GM Financial and may contain unsafe content. Ah, didn’t catch that. Thank you! Tom Damon LogZilla From: Frazier, Jon <[email protected]<mailto:[email protected]>> Date: Thursday, April 11, 2024 at 4:41 PM To: Tom Damon <[email protected]<mailto:[email protected]>>, [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: RE: [Simple-evcorr-users] Problem with action2 Could it be because the two patterns are identical thus you don’t have a “recovered” string for the second to match on. I haven’t dug into this in years so I may be mistaken. Regards, Jon Frazier From: Tom Damon via Simple-evcorr-users <[email protected]<mailto:[email protected]>> Sent: Thursday, April 11, 2024 12:00 PM To: [email protected]<mailto:[email protected]> Subject: [External] [Simple-evcorr-users] Problem with action2 CAUTION: This email originated from outside of GM Financial and may contain unsafe content. Hello list, I’m trying to get this rule working. The action works, but action2 does not. What am I missing? type=PairWithWindow ptype=regexp pattern=host.(\S+)\s+subtype=\S+\smessage=.*User-ID-Agent\s+(\S+)\s(\S+): desc=(WARNING) $1 is $3 from $2 action=pipe 'sending' /etc/logzilla/scripts/sec.sh '%s' ptype2=regexp pattern2=host.(\S+)\s+subtype=\S+\smessage=.*User-ID-Agent\s+(\S+)\s(\S+): desc2=(NOTICE) You seeing this means, we have seen a recovery event. action2=pipe 'sending' /etc/logzilla/scripts/sec.sh 'recovered' window=5 Thanks, Tom Damon LogZilla
_______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
