...
| Code Block | ||||
|---|---|---|---|---|
| ||||
rule process_error {
select when system error
pre{
level = event:attr("level")
data = event:attr("data")
rid = event:attr("rid")
rule_name = event:attr("rule_name")
genus = event:attr("genus")
info = {
"level": level,
"data": data,
"source": rid+":"+rule_name,
"genus": genus,
"time": time:now()
}
}
always{
log error info.encode()
}
} |
Like any other event, if an error event is raised and no rule is selected for it, nothing happens.