hi Eli,
>
> Thank you so much Risto. It's been very informative.
>
> I ended up doing it a bit differently but you definitely opened my eyes on
> more opportunities on how to use SEC.
>
...
> Perhaps there should be a built in construct to doing something like that?
> Not sure whether others would find it useful or not.
>
With the newly added 'trim' action from SEC-2.9.4, you can actually
"release" the events from counting operations, provided that their
number was too small to reach the threshold. Here is an example
ruleset to illustrate that concept (I did use the threshold 5 and
window of 10 seconds, but you can use any other values).
type=EventGroup
ptype=RegExp
pattern=^(?<host>\S+) (?<if>\S+) (?:up|down)$
context=!RELEASED
desc=multiple interfaces up/down on host $+{host}
init=create REPORT_$+{host}
count=exists %e REPORT_$+{host}; if %e ( add REPORT_$+{host} $0 )
slide=getwpos %pos 0; trim %pos REPORT_$+{host} %events; cevent
RELEASED 0 %events
action=write - %s; delete REPORT_$+{host}
end=exists %e REPORT_$+{host}; if %e ( copy REPORT_$+{host} %events;
cevent RELEASED 0 %events; delete REPORT_$+{host} )
thresh=5
window=10
type=Single
ptype=RegExp
pattern=.
context=RELEASED
desc=print released event
action=write - Released event: $0
To keep track of all events the counting operation has observed, the
context REPORT_$+{host} is set up by the 'init' field and updated by
the 'count' field. This context will be deleted when the counting
operation reaches the threshold, and therefore the 'count' field
checks for the presence of context with 'exists %e REPORT_$+{host}'
before updating it. A previously recorded event is considered suitable
for release only if it is no longer in the event correlation window,
and is thus no longer contributing towards reaching the threshold.
Since the action in the 'slide' field gets executed after event
correlation window moves forward, the following action list releases
suitable events:
getwpos %pos 0; trim %pos REPORT_$+{host} %events; cevent RELEASED 0 %events
The 'getwpos' action finds the new beginning of the operation's event
correlation window after sliding, and the 'trim' action removes events
outside this window from the REPORT_$+{host}, assigning them to the
action list variable %events. Finally, the 'cevent' action releases
these events as no longer relevant for the running operation.
If the REPORT_$+{host} context still exists when the counting
operation terminates, the threshold was never reached (otherwise the
'action' field would have deleted REPORT_$+{host}). If that is the
case, then the 'end' field takes care of releasing the event(s) still
in REPORT_$+{host}, and finally deletes the REPORT_$+{host} context.
Unlike my previously suggested solution which worked with a fixed
event correlation window, the above solution works with sliding window
based counting which is normally used by SEC event counting
operations. I hope the posted example is useful.
kind regards,
risto
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
