Hi Guys,
I took a combination of the demoplugin.pm and my own periodic plugin that I
use for something else to attempt to pull some data out of nfdump on an
alert. I have several alerts and I'd like them to all use the same alert
plugin so the variables are important. I'd like them to use the profile
used for the alert etc so they are dynamic. For example I have an ICMP
profile and an alert on that file to trigger if the ICMP traffic exceeds a
certain % more than the 30 minute average. I also have a botnet profile,
TCP profile and Botnet C&C profile.
My "alert_action" looks like this:
sub alert_action {
my $argref = shift;
my $profile = $$argref{'profile'};
my $profilegroup = $$argref{'profilegroup'};
my $timeslot = $$argref{'timeslot'};
syslog('debug', "alertdump run: Profilegroup: $profilegroup,
Profile: $profile, Time: $timeslot");
my %profileinfo = NfProfile::ReadProfile($profile,
$profilegroup);
my $profilepath = NfProfile::ProfilePath($profile,
$profilegroup);
my $all_sources = join ':', keys %{$profileinfo{'channel'}};
my $netflow_sources = "$PROFILEDIR/$profilepath/$all_sources";
syslog('debug', "alertdump args: '$netflow_sources'");
#
# process all sources of this profile at once
my $nfdcmd = "$nfdump -M $netflow_sources -T -r nfcapd.$timeslot -n
10 -s ip/bytes '$nf_filter'";
syslog('err', "alertdump run: ".$nfdcmd);
my @output = `$nfdcmd`;
#
# Process the output and notify the duty team
my ($matched) = $output[-4] =~ /Summary: total flows: (\d+)/;
if ( defined $matched ) {
syslog('debug', "alertdump run: $matched aggregated flows");
} else {
syslog('err', "alertdump: Unparsable output line '$output[-4]'");
}
return 1;
}
What ends up getting logged by the syslog('err', "alertdump run: ".$nfdcmd);
line is:
May 26 19:36:32 sonar nfsen[23543]: alertdump run: /usr/local/bin/nfdump -M
/opt/nfsen/profiles-data// -T -r nfcapd.201105261930 -n 10 -s ip/bytes ''
May 26 19:36:32 sonar nfsen[23543]: alertdump: Unparsable output line ''
If I run this manually I get:
# /usr/local/bin/nfdump -M /opt/nfsen/profiles-data// -T -r
nfcapd.201105261930 -n 10 -s ip/bytes ''
stat() error '/opt/nfsen/profiles-data///nfcapd.201105261930': File not
found!
It seems the stuff that builds "$netflow_sources" isn't being passed to
alert_action as it is had this been a run {} subroutine. Am I going about
this wrong? Should I be generating output with the run {} routine every 5
minutes and then report on it with alert_action {} maybe?
Any ideas or brainstorms on this are welcome. On or off list is fine with
me although other people may benefit from on-list responses of course.
--
Landon Stewart <lstew...@superb.net>
SuperbHosting.Net by Superb Internet Corp.
Toll Free (US/Canada): 888-354-6128 x 4199
Direct: 206-438-5879
Web hosting and more "Ahead of the Rest": http://www.superbhosting.net
------------------------------------------------------------------------------
vRanger cuts backup time in half-while increasing security.
With the market-leading solution for virtual backup and recovery,
you get blazing-fast, flexible, and affordable data protection.
Download your free trial now.
http://p.sf.net/sfu/quest-d2dcopy1
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
