Thanks for the help. Just for other's reference I got these to filters to work... When I want to use a threshold so that it performs the action if it sees the message 20 times in 60 seconds. This key's off the a variable set called $ssh_regex throttle threshold 20:60,repeat=no,key=$ssh_regex When I want the action after the first message but not again for one hour. throttle 01:00:00,key=$conntrack_regex Thanks for everybody's help. I also got suggestions to try out sec. I may do that soon but this is working for now. -Kelly On Mar 24, 2006, at 2:02 AM, Taneli Otala wrote: > The trick is in the syntax... > throttle threshold 4:60 > > Example: > > watchfor /.*/ and /$ssh_regex/ > echo > throttle threshold 4:60 > exec "iptables -I INPUT 1 -s $1 -p tcp --dport 22 -j droplog" > > TaO > > > > Kelly Brown wrote: > >> Hello all: >> >> I'm trying to set up some swatch alerts that use throttling. I >> can not get it to work. >> >> perlcode my $sa_regex = 'smtp1\.corp.* Service unavailable'; >> watchfor /$sa_regex/ >> echo >> throttle 0:10:00,use=$sa_regex >> >> I've also tried this: throttle threshold=5:120,repeat=no >> >> It also does not work. I get an alert for every message. >> >> I've read in various places that Throttle.pm is broken and in >> other places that it was fixed. I'm running 3.1.1-2 from a >> debian package. >> >> Does anybody know if this thing is supposed to work? I don't want >> to keep banging my head on it if it's known not to work. >> >> Thx >> -K >> >> >> --------------------------------------------------------------------- >> --- >> >> _______________________________________________ >> LogAnalysis mailing list >> LogAnalysis@private >> http://lists.shmoo.com/mailman/listinfo/loganalysis >>
_______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Sat Mar 25 2006 - 19:34:33 PST