Re: [Simple-evcorr-users] Few questions
Brought to you by:
ristov
From: Risto V. <ris...@se...> - 2011-06-13 10:23:37
|
hi Ludovic, here are quick answers to your questions. The %t variable is set according to the clock of the node where SEC is running. However, the timestamps of log messages are often set by the network node which emitted the messages. Therefore, the value of %t variable can differ from the timestamp taken from the log file message. Even if clocks are synchronized across all network nodes, message transmission might still take time, and thus you might experience occasional differences. As for your second question, if you don't want to get an e-mail after each event above threshold, set 'multact' to 'no' or delete 'multact' field from rule definition (default value for 'multact' is 'no'). hope this helps, risto On 06/10/2011 11:48 AM, Ludovic Hutin wrote: > Hi all, > > We using sec for some correlation log with this configuration : > > type=EventGroup > ptype=regexp > pattern=ERROR,([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),(PATTERN_A|PATTERN_B|PATTERN_C|PATTERN_D|PATTERN_E|PATTERN_F|PATTERN_G|PATTERN_H[^,]*|PATTERN_I),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*) > count=lcall %ret $13 -> ( sub { ++$ucounts{$_[0]}; } ); \ > write /logs/result/$13.login %t $8 ; \ > add USER_$13 $0 > desc=User $13 appear > action=pipe 'sendMail' /root/sendMail.pl $13 ; > multact=yes > end=lcall %ret $13 -> ( sub { return delete $ucounts{$_[0]}; } ); \ > report USER_$13 /bin/echo %t $13 %ret>> /logs/result.txt; \ > delete USER_$13 > window=1800 > thresh=4 > > It's work perfect, and we got some email when a user generate 4 entry > during 30mn. > > First question : > > Il got some interrogation about the first %t value in the count > directive, when i look my file, i always see the same time > > Exemple : > ... > Fri Jun 10 10:08:37 2011 PATTERN_A > Fri Jun 10 10:08:37 2011 PATTERN_A > Fri Jun 10 10:08:37 2011 PATTERN_A > Fri Jun 10 10:08:49 2011 PATTERN_A > Fri Jun 10 10:08:49 2011 PATTERN_A > Fri Jun 10 10:08:49 2011 PATTERN_A > ... > > The events don't come at the same time in the source log file. > it's normal that the time is change ? i do something wrong ? > > Second question : > > If a 5,6,7... event appear for the same user during the 30mn, i receive > a second, third, four.. mail. > I would like to receive only one mail during the window time. It's > possible with the EventGroup Rules ? > > I hope my english is not to bad ;) > > > Ludovic. > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > Simple-evcorr-users mailing list > Sim...@li... > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > |