Script_Filter_TimeInterval_byHost.txt

Hello Acy Forsythe

Great script, thank you for providing this. I have been looking for this feature for a while.

But I have a question, I need some help for understanding the script...

As I have read somewhere else in the forum, the dictionary that you use is a variable that is stored inside the memory of the syslog service, correct?

The name of that variable is "Intervals".

So is this "Intervals" variable valid for all rules? Or is the variable just accessible for the specific script? Or also accessible for all other scripts?

I am asking because I would like to define different intervals for different rules.

So if I would like to do that I guess I have to create a vbscript per rule and in each script I have to define a different variable for storing the intervals, right?

Thanks a lot in advance.

Best regards,

Bob

Thanks for the complement, and I'm glad you're getting some use from it.

The Dictionaries are global, so you can use it in multiple scripts across multiple rules. You can think of dictionaries as global arrays or DB tables, whatever makes sense to you. They only have 2 fields though, a primary Key field that is unique, and a text field. To store more than one piece of data per key I just use a delimiter and split it when reading it out.

Keep in mind the unique Key though... Storing any new data for a particular Key will overwrite whatever was there. So if you wanted to store multiple intervals for the same host (VarPeerAddress), you would need to use a different Unique Identifier, maybe VarPeerAddress &  "Rule17" or something like that ...

So as Unique Identifier I can just use any string? Like just concatenating several existing strings?

On reflection I see that it is important to have this entry per host AND per rule, especially if the timer interval is set quite high.

Because if you use the filter for several different rules like for "access blocked" and "port down" for the same device, then you would only get the first "access blocked" message but all the following "port down" messages would not get through until the interval has gone by. Or am I missing something?

For implementing that change I guess I would have to change all lines where "Fields.VarPeerAddress" is used and change that to "Fields.VarPeerAddress&RuleNumber", right? Is that possible for all the methods like ItemExists, StoreItem, GetItem?

But the question is how do I get the number (or name) of the rule that invoked the VbScript? Because this should be variable.

Yeah, the identifier can be any unique value and it does work with all of the dictionary methods. Unfortunately there isn’t a variable for “Rule Number” stored anywhere, so you’ll have to edit that into your scripts as you set them up for each rule and you could use rule number, rule name, or even a description of what the rule is filtering.

I think that data might be nice for reporting purposes though, rule number, name, message hits etc…

Thanks.