NXLog search
Let's talk Start free
Let's talk Start free

Nxlog module

View thread
antonio_cuestag
Hi, 

I am doing a rule which detects me are making multiple responses of ICMP from the same IP in which there are diferent IPs.
 
The problem that i have is that don't write in the output with raw_event and file_write. In file_write I put the "otro" file. 

Do you know it can be?
 
Antonio.
 
File nxlog.conf:
 

<Extension fileop>
    Module      xm_fileop
</Extension>

<Input in4>
    Module    im_file
    File    "/home/antonio/Descargas/sn"
    SavePos TRUE
    Exec    if ($raw_event =~ /^\d\d:\d\d:\d\d.(.+)/) {     \
                    $Message = $1;            \
                    $raw_event = $Message;       \
                }
    exec if $Message =~ /IP (\S{1,}) > \S{1,}:/ $IP=$1;

</Input>

<Input internal>
    Module    im_internal
    Exec    $raw_event = $Message;
</Input>


<Output out4>
    Module    om_file
    File    "/home/antonio/Descargas/nx"
</Output>

<Processor evcorr>
    Module       pm_evcorr

    <Thresholded>
    
           Condition  $Message =~ /^ICMP echo reply/ 
           Threshold  3
           Interval   120
    Context $IP
    Exec       $raw_event = "3 ECHO REPLY packets from host $IP";
    Exec        file_write("/home/antonio/Descargas/otro", "3 ECHO REPLY packets from host $IP");
    </Thresholded>

</Processor>

<Route 4>

Path    in4, internal => evcorr => out4
</Route>

 
File sn:
 

17:11:33.953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64

17:11:33.953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64

17:11:33.953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64

17:11:33.953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64

17:11:33.953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64

17:11:33.953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64

17:11:33.953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64

17:11:33.953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64

 
File nx:
 
inode changed for '/home/antonio/Descargas/sn': reopening possibly rotated file
953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64
953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64
953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64
953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64
953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64
953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64
953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64
953173 IP mad01s25-in-f3.1e100.net > 192.168.20.153: ICMP echo reply, id 62478, seq 2, length 64
 
File otro:
 
Thanks :))