Need your help to know what went wrong in the rule.
global java.lang.String output
declare OMNewTicket
@role( event )
@timestamp (timeStampAttr)
@expires (10m)
end
# Find 'critical' events of 'Windows' which occured after 1minute but before 10 minutes
# of 'warning' events of 'Symantec' provided no 'Security' with severity 'normal' exist in between
rule "Sample Temporal"
no-loop true
when
$ticket : OMNewTicket($severity1 : severity == "warning",
appName == "Symantec",
$timeStampAttr1 : timeStampAttr)
$ticket1 : OMNewTicket(this after[1m, 10m] $ticket,
severity == "critical",
$appName1 : appName == "Windows",
$timeStampAttr2 : timeStampAttr)
not (OMNewTicket( timeStampAttr <= $timeStampAttr2,
timeStampAttr >= $timeStampAttr1,
appName == "Login_failure", severity == "normal"))
then
drools.getWorkingMemory().setGlobal( "output", "found");
end
For the input :
e6382090-a259-71dd-12b9-92dfda160000 14178 10/25/2008:5:59:AM warning Symantec Application
956cb3a0-a22d-71dd-09d7-c0195b7b0000 14178 10/25/2008:6:00:AM warning Login_failure Security
28bdb2e0-a25a-71dd-1bc3-c01959f40000 14178 10/25/2008:6:05:AM critical Windows Application
956cb3a0-a22d-71dd-09d7-c0195b7b0000 14178 10/25/2008:10:04:AM normal Login_failure Security
20f39930-a27d-71dd-0369-81f8b3ee0000 14178 10/25/2008:10:04:AM warning Symantec Application
648d5010-a27c-71dd-1bc3-c01959f40000 14178 10/25/2008:10:05:AM critical Windows Application
8bcb9bb0-a32f-71dd-10c5-c01959dc0000 14179 10/26/2008:7:23:AM warning Login_failure Security
8882ee70-a331-71dd-1fbc-c0068f170000 14179 10/26/2008:7:37:AM warning Symantec Application
I get the below output:
405000 405000 0 warning Symantec Sat Oct 25 05:59:00
406000 406000 0 warning Login_failure Sat Oct 25 06:00:00
407000 407000 0 critical Windows Sat Oct 25 06:05:00 found
408000 408000 0 normal Login_failure Sat Oct 25 10:04:00
409000 409000 0 warning Symantec Sat Oct 25 10:04:00
410000 410000 0 critical Windows Sat Oct 25 10:05:00
411000 411000 0 warning Login_failure Sun Oct 26 07:23:00 found
412000 412000 0 warning Symantec Sun Oct 26 07:37:00
I use pseudo clock and I set the time in the third column(example 10/25/2008:5:59:AM) of the input as the 'timeStampAttr' by converting it to long.
I also adjust the clock accordingly.
My requirement is to get the those 'critical-windows' event which happens after 1 to 10minutes of 'warning-Symantec' provided no 'normal-Login_Failure' between them.
Problem here is, I could not get convinced with the occurance of found in row #7. Coz 'Login_failure' did not occur between 10minute interval of a symantec and windows event. Also my intention is to identify the windows event.