[nv-l] again a ruleset

[lucian.vanghele@bisnet.ro]

I'm back with my ruleset problem. this is the ruleset I'm trying to fire-up
on Windows:

RuleSet33 RuleSet EventAttr34 EventAttr42
"" 0
EventAttr34 EventAttr EventAttr35 EventAttr40
Specific 0 5 "" 0
EventAttr35 EventAttr AttrDelay36
Origin 0 192.168.4.84 "" 0
AttrDelay36 AttrDelay EventAttr37
"" 0 "" 180 "" 0 0 0 "Origin Origin 0~"
EventAttr37 EventAttr AttrJoin38
Specific 0 5 "" 0
AttrJoin38 AttrJoin UserExit39
"" 0 "" 600 "" 0 "Specific Specific 0~"
UserExit39 UserExit
" set >>loglog" 0 0 0 ""
EventAttr40 EventAttr AttrDelay41
Origin 0 192.168.4.83 "" 0
AttrDelay41 AttrDelay AttrJoin38.2
"" 0 "" 180 "" 0 0 0 "Origin Origin 0~"
EventAttr42 EventAttr EventAttr43 EventAttr44
Specific 0 9 "" 0
EventAttr43 EventAttr AttrDelay36.2
Origin 0 192.168.4.84 "" 0
EventAttr44 EventAttr AttrDelay41.2
Origin 0 192.168.4.83 "" 0

and this is the log file (nvcordd.log):

2004/03/12 15:48:48 :   loading for correlationAppl 0x00FB0080
2004/03/12 15:48:48 :   CorrDnode=0x01050038 ForwardCorr ap=0x00000000
2004/03/12 15:48:48 :   new ap=0x00FB0080
2004/03/12 15:48:48 :   UserExitDnode=0x016A0038 UserExit
2004/03/12 15:48:48 :   UserExitDnode=0x016A0038 UserExit
2004/03/12 15:48:48 :   UserExitDnode=0x016A0038 UserExit
2004/03/12 15:48:48 :   UserExitDnode=0x016A0038 UserExit
2004/03/12 15:48:48 :   Adding dnode to CorrelationDefinitionRuleSet
2004/03/12 15:48:48 :   ===> Processing actions for regula.rs
2004/03/12 15:48:48 :   ===> Completed actions for regula.rs forwards=0
overrides=0 resolves=0
2004/03/12 15:48:48 :   ===> trap (6, 5)
2004/03/12 15:48:52 :         Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')
2004/03/12 15:48:52 :         Attr(Generic='(ulong,6)')
2004/03/12 15:48:52 :         Attr(Specific='5')
2004/03/12 15:48:52 :   Received event CID(1) sysOID(1.3.6.1.2.1.318)
Gen(6) Spec(5)
2004/03/12 15:48:52 :   ===> Processing Event =========================== 1
of 1
                                                 Event CID(1) 15:48:52

Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')

Attr(Generic='(ulong,6)')
                                                      Attr(Specific='5')
2004/03/12 15:48:52 :   RootDnode::resolveRootDnode() = TRUE
2004/03/12 15:48:52 :   RuleSet::resolve()   RuleSetName =regula.rs
2004/03/12 15:48:52 :
EventAttributes::resolve(EventAttrDnode(Attr:Specific eq 5)) (ulong,5)
CONTINUE
2004/03/12 15:48:52 :         Attr(Origin='(ulong,1409591488)')
2004/03/12 15:48:52 :         Attr(sysUpTime='(ulong,1)')
2004/03/12 15:48:52 :         Attr(Community='(char,)')
2004/03/12 15:48:52 :         Attr(Category='(ulong,2)')
2004/03/12 15:48:52 :         Attr(Source='(char,?)')
2004/03/12 15:48:52 :         Attr(Severity='(ulong,1)')
2004/03/12 15:48:52 :   EventAttributes::resolve(EventAttrDnode(Attr:Origin
eq 192.168.4.84)) (char,192.168.4.84) CONTINUE
2004/03/12 15:48:56 :   ResetOnMatch:(7)  event is being SAVED
2004/03/12 15:48:56 :   EventAttributes::resolve(EventAttrDnode(Attr:Origin
eq 192.168.4.83)) (char,192.168.4.84) STOP
2004/03/12 15:49:01 :
EventAttributes::resolve(EventAttrDnode(Attr:Specific eq 9)) (ulong,5) STOP
2004/03/12 15:49:01 :   Ruleset regula.rs got 0
2004/03/12 15:49:01 :   ===> Processing actions for regula.rs
2004/03/12 15:49:01 :   ===> Completed actions for regula.rs forwards=0
overrides=0 resolves=0
2004/03/12 15:49:01 :   ===> Finished with the trap
====================================
2004/03/12 15:49:01 :   ===> trap (6, 5)
2004/03/12 15:49:01 :         Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')
2004/03/12 15:49:01 :         Attr(Generic='(ulong,6)')
2004/03/12 15:49:01 :         Attr(Specific='5')
2004/03/12 15:49:01 :   Received event CID(2) sysOID(1.3.6.1.2.1.318)
Gen(6) Spec(5)
2004/03/12 15:49:01 :   ===> Processing Event =========================== 1
of 1
                                                 Event CID(2) 15:49:01

Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')

Attr(Generic='(ulong,6)')
                                                      Attr(Specific='5')
2004/03/12 15:49:01 :   RootDnode::resolveRootDnode() = TRUE
2004/03/12 15:49:01 :   RuleSet::resolve()   RuleSetName =regula.rs
2004/03/12 15:49:01 :
EventAttributes::resolve(EventAttrDnode(Attr:Specific eq 5)) (ulong,5)
CONTINUE
2004/03/12 15:49:01 :         Attr(Origin='(ulong,1392814272)')
2004/03/12 15:49:01 :         Attr(sysUpTime='(ulong,1)')
2004/03/12 15:49:01 :         Attr(Community='(char,)')
2004/03/12 15:49:01 :         Attr(Category='(ulong,2)')
2004/03/12 15:49:01 :         Attr(Source='(char,?)')
2004/03/12 15:49:01 :         Attr(Severity='(ulong,1)')
2004/03/12 15:49:01 :   EventAttributes::resolve(EventAttrDnode(Attr:Origin
eq 192.168.4.84)) (char,192.168.4.83) STOP
2004/03/12 15:49:05 :   EventAttributes::resolve(EventAttrDnode(Attr:Origin
eq 192.168.4.83)) (char,192.168.4.83) CONTINUE
2004/03/12 15:49:10 :   ResetOnMatch:(14)  event is being SAVED
2004/03/12 15:49:10 :
EventAttributes::resolve(EventAttrDnode(Attr:Specific eq 9)) (ulong,5) STOP
2004/03/12 15:49:10 :   Ruleset regula.rs got 0
2004/03/12 15:49:10 :   ===> Processing actions for regula.rs
2004/03/12 15:49:10 :   ===> Completed actions for regula.rs forwards=0
overrides=0 resolves=0
2004/03/12 15:49:10 :   ===> Finished with the trap
====================================
2004/03/12 15:49:10 :   ===> Processing time events
================================
2004/03/12 15:50:10 :   ResetOnMatch::processHeartbeat(7)
RuleSetName=regula.rs
2004/03/12 15:50:10 :   ResetOnMatch::processHeartbeat (7)setting
heartbeatInterval = 102 for:Event(CID(1),
Attr(EnterpriseID='(char,1.3.6.1.2.1.318)') Attr(Generic='(ulong,6)')
Attr(Specific='5') Attr(Origin='(ulong,1409591488)')
Attr(sysUpTime='(ulong,1)') Attr(Community='(char,)')
Attr(Category='(ulong,2)') Attr(Source='(char,?)')
Attr(Severity='(ulong,1)'))
2004/03/12 15:50:10 :   ResetOnMatch:::processHeartbeat(7)  finished
processing heartbeat.
2004/03/12 15:50:10 :   ResetOnMatch::processHeartbeat(14)
RuleSetName=regula.rs
2004/03/12 15:50:10 :   ResetOnMatch::processHeartbeat (14)setting
heartbeatInterval = 111 for:Event(CID(2),
Attr(EnterpriseID='(char,1.3.6.1.2.1.318)') Attr(Generic='(ulong,6)')
Attr(Specific='5') Attr(Origin='(ulong,1392814272)')
Attr(sysUpTime='(ulong,1)') Attr(Community='(char,)')
Attr(Category='(ulong,2)') Attr(Source='(char,?)')
Attr(Severity='(ulong,1)'))
2004/03/12 15:50:10 :   ResetOnMatch:::processHeartbeat(14)  finished
processing heartbeat.
2004/03/12 15:50:10 :   ===> Processing time events
================================
2004/03/12 15:51:10 :   ===> Processing time events
================================
2004/03/12 15:52:10 :   ResetOnMatch::processHeartbeat(7)
RuleSetName=regula.rs
2004/03/12 15:52:10 :   ResetOnMatch::processHeartbeat
RESOLVING:Event(CID(1), Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')
Attr(Generic='(ulong,6)') Attr(Specific='5')
Attr(Origin='(ulong,1409591488)') Attr(sysUpTime='(ulong,1)')
Attr(Community='(char,)') Attr(Category='(ulong,2)')
Attr(Source='(char,?)') Attr(Severity='(ulong,1)'))
2004/03/12 15:52:10 :   ResetOnMatch::processHeartbeat(7)
RESOLVING:Event(CID(1), Attr(EnterpriseID='(char,1.3.6.1.2.1.318)')
Attr(Generic='(ulong,6)') Attr(Specific='5')
Attr(Origin='(ulong,1409591488)') Attr(sysUpTime='(ulong,1)')
Attr(Community='(char,)') Attr(Category='(ulong,2)')
Attr(Source='(char,?)') Attr(Severity='(ulong,1)'))

I don't understand why the events don't go to the Pass on Match node after
waiting 3 minutes in Reset on Match!! On Linux that rule works ok....Also,
on Windows, a simple rule (just 2 event attribute, one Pass on match and an
inline action) also works fine!
thanks
Lucian vanghele