sub does_action_exist() { my $src_ip = $_[0]; my $dst_ip = $_[1]; my $src_port_or_icmp_type = $_[2]; my $dst_port_or_icmp_code = $_[3]; my $protocol = $_[4]; my $flags = $_[5]; my $src_ip_mask = $_[6]; my $dst_ip_mask = $_[7]; my $src_port_or_icmp_type_mask = $_[8]; my $dst_port_or_icmp_code_mask = $_[9]; my $protocol_mask = $_[10]; my $flags_mask = $_[11]; my $action = $_[12]; my $dbh; my $sql; my $sth; my $time_left; $dbh = &connect_to_db(); $sql = "select (unix_timestamp(start_date) + (duration * 60)) - " . "unix_timestamp(NOW()) as time_left from actions where src_ip = " . "$src_ip and dst_ip = $dst_ip and src_port_or_icmp_type = " . "$src_port_or_icmp_type and dst_port_or_icmp_code = " . "$dst_port_or_icmp_code and protocol = $protocol and flags = $flags and " . "src_ip_mask = $src_ip_mask and dst_ip_mask = $dst_ip_mask and " . "src_port_or_icmp_type_mask = $src_port_or_icmp_type_mask and " . "dst_port_or_icmp_code_mask = $dst_port_or_icmp_code_mask and " . "protocol_mask = $protocol_mask and flags_mask = $flags_mask and " . "action = '$action' and unix_timestamp(start_date) + (duration * 60) > " . "unix_timestamp(NOW()) and end_date is NULL"; $sth = $dbh->prepare($sql); $sth->execute(); $sth->bind_columns(undef, \$time_left); $sth->fetch(); $sth->finish(); &disconnect_from_db($dbh); return(int($time_left / 60)) if($time_left ne ""); return(0); } Original Config ----------------------------------------------------------- # [EVENT TEMPLATE] $template sample, "%timereported:::date-mysql% %HOSTNAME\n" # [EVENT PROCESSING] if $programname == 'sample_event' then | tmp/meh;sample if $programname == 'sample_event' then ~ Destination config ----------------------------------------------------------- # [EVENT TEMPLATE] $template foo, "this is template stuff % meh bar\n" $template bar, "more template stuff. Did the sox win %meh\n" $template aquabuda "rand Paul is %funny\n" #Comments #Comments #Other random comments # [EVENT PROCESSING] if $programname == 'somename' then /tmp/foo;meh if $programname == 'somename' then ~ if $programname == 'super' then /tmp/super;meh if $programname == 'another' then /tmp/another;meh if $programname == 'direct' then /var/log/messages;direct # Debug if $programname == 'generic' then /var/log/messages if $programname == 'other' then ~