Event Search Processing Rule

[dogoncouch]

Feature Idea

ESP rule - triggered by chain of events in a specific order.

Rule Needs

• Event chain specifics - use standard ESP language:

RuleEvent.source_rule_name=RULENAME FOLLOWED BY
LogEvent.source_host=X.X.X.X AND LogEvent.log_source=LOGSOURCE
FOLLOWED BY RuleEvent.source_rule_name=RULENAME

• Time range to check
• Check interval

Logic

1. Convert ESP language to list of dictionaries
2. Get events in time interval (work on making this more efficient later)
3. Check events in reverse, comparing to reversed list of dictionaries
4. Create rule event if sequence is matched