[Simple-evcorr-users] How to force SEC not to process a file from start when it is being edited.

2011-10-19 Thread Supratik Goswami 
When monitoring a file using SEC, it normally tails on that file and
any new changes can be matched against some pattern.
If someone edits that file using any editor SEC recognizes that the
file has been recreated and shows the below message

Input file ./testdir/p has been recreated
Shuffled ./testdir/p, reopening and processing from the start

Now it will find all the matches again which it has done it earlier.

Is there any way I can tell SEC to tail again without processing the
file from the start and alert once ?

--
Warm Regards

Supratik

--
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] How to force SEC not to process a file from start when it is being edited.

2011-10-19 Thread Justin J. Novack 
File-system wise, on save, the file is created from 0 bytes and repopulated,
so SEC might not know that it was a user-edit.

This could happen with nano (pico), try a more powerful editor like vim (or
emacs).

--
Justin J. Novack
Official Disturber of the Peace


On Wed, Oct 19, 2011 at 6:55 AM, Supratik Goswami
wrote:

> When monitoring a file using SEC, it normally tails on that file and
> any new changes can be matched against some pattern.
> If someone edits that file using any editor SEC recognizes that the
> file has been recreated and shows the below message
>
> Input file ./testdir/p has been recreated
> Shuffled ./testdir/p, reopening and processing from the start
>
> Now it will find all the matches again which it has done it earlier.
>
> Is there any way I can tell SEC to tail again without processing the
> file from the start and alert once ?
>
> --
> Warm Regards
>
> Supratik
>
>
> --
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> ___
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
--
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] How to force SEC not to process a file from start when it is being edited.

2011-10-19 Thread Supratik Goswami 
Yes it is happening with vim.

Is there any way to tell SEC not to repopulate?

On Wed, Oct 19, 2011 at 5:01 PM, Justin J. Novack  wrote:
> File-system wise, on save, the file is created from 0 bytes and repopulated,
> so SEC might not know that it was a user-edit.
> This could happen with nano (pico), try a more powerful editor like vim (or
> emacs).
> --
> Justin J. Novack
> Official Disturber of the Peace
>
>
> On Wed, Oct 19, 2011 at 6:55 AM, Supratik Goswami 
> wrote:
>>
>> When monitoring a file using SEC, it normally tails on that file and
>> any new changes can be matched against some pattern.
>> If someone edits that file using any editor SEC recognizes that the
>> file has been recreated and shows the below message
>>
>> Input file ./testdir/p has been recreated
>> Shuffled ./testdir/p, reopening and processing from the start
>>
>> Now it will find all the matches again which it has done it earlier.
>>
>> Is there any way I can tell SEC to tail again without processing the
>> file from the start and alert once ?
>>
>> --
>> Warm Regards
>>
>> Supratik
>>
>>
>> --
>> All the data continuously generated in your IT infrastructure contains a
>> definitive record of customers, application performance, security
>> threats, fraudulent activity and more. Splunk takes this data and makes
>> sense of it. Business sense. IT sense. Common sense.
>> http://p.sf.net/sfu/splunk-d2d-oct
>> ___
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>



-- 
Warm Regards

Supratik

--
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] How to force SEC not to process a file from start when it is being edited.

2011-10-19 Thread Justin J. Novack 
Again, the main thing here is that SEC doesn't care, it is the OS at fault
(for doing it correctly).  Your editor recreates the file from 0 bytes, so
how is SEC to know it's not a new file?

Try other methods of editing the file, like sed or diff if you are crafty.
If you are just adding content to the end, do a "echo >>".  Otherwise, stop
editing the file that SEC wants to sequential read :)  Or write an
intermediary process.

It's not SEC's fault, it doesn't know it's the same file.

--
Justin J. Novack
Official Disturber of the Peace


On Wed, Oct 19, 2011 at 7:47 AM, Supratik Goswami
wrote:

> Yes it is happening with vim.
>
> Is there any way to tell SEC not to repopulate?
>
> On Wed, Oct 19, 2011 at 5:01 PM, Justin J. Novack 
> wrote:
> > File-system wise, on save, the file is created from 0 bytes and
> repopulated,
> > so SEC might not know that it was a user-edit.
> > This could happen with nano (pico), try a more powerful editor like vim
> (or
> > emacs).
> > --
> > Justin J. Novack
> > Official Disturber of the Peace
> >
> >
> > On Wed, Oct 19, 2011 at 6:55 AM, Supratik Goswami <
> supratiksek...@gmail.com>
> > wrote:
> >>
> >> When monitoring a file using SEC, it normally tails on that file and
> >> any new changes can be matched against some pattern.
> >> If someone edits that file using any editor SEC recognizes that the
> >> file has been recreated and shows the below message
> >>
> >> Input file ./testdir/p has been recreated
> >> Shuffled ./testdir/p, reopening and processing from the start
> >>
> >> Now it will find all the matches again which it has done it earlier.
> >>
> >> Is there any way I can tell SEC to tail again without processing the
> >> file from the start and alert once ?
> >>
> >> --
> >> Warm Regards
> >>
> >> Supratik
> >>
> >>
> >>
> --
> >> All the data continuously generated in your IT infrastructure contains a
> >> definitive record of customers, application performance, security
> >> threats, fraudulent activity and more. Splunk takes this data and makes
> >> sense of it. Business sense. IT sense. Common sense.
> >> http://p.sf.net/sfu/splunk-d2d-oct
> >> ___
> >> Simple-evcorr-users mailing list
> >> Simple-evcorr-users@lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >
> >
>
>
>
> --
> Warm Regards
>
> Supratik
>
--
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] How to force SEC not to process a file from start when it is being edited.

2011-10-19 Thread Eric V. Smith 
Even if it were possible to delete say 100 bytes from the front of the
file, how would SEC know that it needed to skip back 100 bytes to keep
it's concept of the current location in the file? Imagine a scenario
with multiple write to the end of the file, some of which SEC has
processed, but some it hasn't. Then 100 bytes at the front of the file
get removed. How could this possibly work?

Eric.

On 10/19/2011 7:56 AM, Justin J. Novack wrote:
> Again, the main thing here is that SEC doesn't care, it is the OS at
> fault (for doing it correctly).  Your editor recreates the file from 0
> bytes, so how is SEC to know it's not a new file?
> 
> Try other methods of editing the file, like sed or diff if you are
> crafty. If you are just adding content to the end, do a "echo >>".
>  Otherwise, stop editing the file that SEC wants to sequential read :)
>  Or write an intermediary process.  
> 
> It's not SEC's fault, it doesn't know it's the same file.
> 
> --
> Justin J. Novack
> Official Disturber of the Peace
> 
> 
> On Wed, Oct 19, 2011 at 7:47 AM, Supratik Goswami
> mailto:supratiksek...@gmail.com>> wrote:
> 
> Yes it is happening with vim.
> 
> Is there any way to tell SEC not to repopulate?
> 
> On Wed, Oct 19, 2011 at 5:01 PM, Justin J. Novack  > wrote:
> > File-system wise, on save, the file is created from 0 bytes and
> repopulated,
> > so SEC might not know that it was a user-edit.
> > This could happen with nano (pico), try a more powerful editor
> like vim (or
> > emacs).
> > --
> > Justin J. Novack
> > Official Disturber of the Peace
> >
> >
> > On Wed, Oct 19, 2011 at 6:55 AM, Supratik Goswami
> mailto:supratiksek...@gmail.com>>
> > wrote:
> >>
> >> When monitoring a file using SEC, it normally tails on that file and
> >> any new changes can be matched against some pattern.
> >> If someone edits that file using any editor SEC recognizes that the
> >> file has been recreated and shows the below message
> >>
> >> Input file ./testdir/p has been recreated
> >> Shuffled ./testdir/p, reopening and processing from the start
> >>
> >> Now it will find all the matches again which it has done it earlier.
> >>
> >> Is there any way I can tell SEC to tail again without processing the
> >> file from the start and alert once ?
> >>
> >> --
> >> Warm Regards
> >>
> >> Supratik
> >>
> >>
> >>
> 
> --
> >> All the data continuously generated in your IT infrastructure
> contains a
> >> definitive record of customers, application performance, security
> >> threats, fraudulent activity and more. Splunk takes this data and
> makes
> >> sense of it. Business sense. IT sense. Common sense.
> >> http://p.sf.net/sfu/splunk-d2d-oct
> >> ___
> >> Simple-evcorr-users mailing list
> >> Simple-evcorr-users@lists.sourceforge.net
> 
> >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >
> >
> 
> 
> 
> --
> Warm Regards
> 
> Supratik
> 
> 
> 
> 
> --
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> 
> 
> 
> ___
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users


--
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] How to force SEC not to process a file from start when it is being edited.

2011-10-19 Thread Risto Vaarandi 
On 10/19/2011 01:55 PM, Supratik Goswami wrote:
> When monitoring a file using SEC, it normally tails on that file and
> any new changes can be matched against some pattern.
> If someone edits that file using any editor SEC recognizes that the
> file has been recreated and shows the below message
>
> Input file ./testdir/p has been recreated
> Shuffled ./testdir/p, reopening and processing from the start
>
> Now it will find all the matches again which it has done it earlier.
>
> Is there any way I can tell SEC to tail again without processing the
> file from the start and alert once ?
>
> --
> Warm Regards
>
> Supratik
>

Unfortunately that can't be done. When the log file size decreases, it 
normally means that the logging process has truncated its log to 0 and 
some new events have been written to the beginning of the file.
However, if you want to monitor specific files which get written both by 
processes and end users, I'd recommend to do this through FIFO's and use 
separate scripts to copy the file content into FIFOs. Given the fact the 
files are freely edited by end users, they don't seem to be regular log 
files, so FIFO might be a better approach for other reasons as well.
kind regards,
risto

> --
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> ___
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>


--
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] Defining a Map for Data

2011-10-19 Thread Justin J. Novack 
Excellent points, all.  I've decided to combine the two approaches.
 However, I'm stuck.

As you can see below, I'm loading the hashes on startup, and the second rule
doesn't run. :(  If I remove the context from the second rule, it runs fine.
 I don't think context =($perl_hash{$2}) is a valid context or check.  If
that is the case, how do I dump the hash to create contexts?

On Tue, Oct 18, 2011 at 3:48 PM, John P. Rouillard 
 wrote:


> I think adding a
>
>  context = system_name_$2
>
> or
>
>  context =($perl_hash{$2})
>
> to your rules will fix that nicely. If the contexts/hash entry aren't
> defined the rules don't fire.



testing.sec
=
type=Single
desc=Load hashes at startup
ptype=SubStr
continue=TakeNext
pattern=SEC_RESTART
context=SEC_INTERNAL_EVENT
action=eval %a ( undef %hash;  \
open(FILE, ") { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
$val; }); \
eval %a (my $line; foreach (keys %hash) { $line .= "$_ = $hash{$_}\n";
}; chomp($line); return $line);

type=Single
desc=WTF doesn't this work?!
ptype=SubStr
pattern=SEC_RESTART
context=($hash{"GigabitEthernet1/37"})
action=logonly Holy Guacamole!  It worked!

tail -f /var/log/sec/
=
Wed Oct 19 13:36:16 2011: Reading configuration from /etc/sec/testing.sec
Wed Oct 19 13:36:16 2011: 4 rules loaded from /etc/sec/testing.sec
Wed Oct 19 13:36:16 2011: Creating SEC internal context 'SEC_INTERNAL_EVENT'
Wed Oct 19 13:36:16 2011: Creating SEC internal event 'SEC_RESTART'
Wed Oct 19 13:36:16 2011: Evaluating code 'undef %hash;  open(FILE,
") { chomp; my ($key, $val)
= split /=/; $hash{"$key"} = $val; }' and setting variable '%a'
Wed Oct 19 13:36:16 2011: Variable '%a' set to ''
Wed Oct 19 13:36:16 2011: Evaluating code 'my $line; foreach (keys %hash) {
$line .= "$_ = $hash{$_}\n"; }; chomp($line); return $line' and setting
variable '%a'
Wed Oct 19 13:36:16 2011: Variable '%a' set to 'GigabitEthernet3/16 =
IMPORTANT SERVER
GigabitEthernet1/37 = TEST SERVER'
Wed Oct 19 13:36:16 2011: Deleting SEC internal context 'SEC_INTERNAL_EVENT'






Justin J. Novack
Official Disturber of the Peace
--
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] Defining a Map for Data

2011-10-19 Thread Justin J. Novack 
Sorry for the double post, I wanted to post an intermediate solution:

The correct context line for the second rule would be:
 context= =(if (exists $hash{"GigabitEthernet1/37"}) { return 1;} )

This should be the last stumbling block...

--
Justin J. Novack
Official Disturber of the Peace


On Wed, Oct 19, 2011 at 1:52 PM, Justin J. Novack  wrote:

> Excellent points, all.  I've decided to combine the two approaches.
>  However, I'm stuck.
>
> As you can see below, I'm loading the hashes on startup, and the second
> rule doesn't run. :(  If I remove the context from the second rule, it runs
> fine.  I don't think context =($perl_hash{$2}) is a valid context or check.
>  If that is the case, how do I dump the hash to create contexts?
>
> On Tue, Oct 18, 2011 at 3:48 PM, John P. Rouillard 
>  wrote:
>
>
>> I think adding a
>>
>>  context = system_name_$2
>>
>> or
>>
>>  context =($perl_hash{$2})
>>
>> to your rules will fix that nicely. If the contexts/hash entry aren't
>> defined the rules don't fire.
>
>
>
> testing.sec
> =
> type=Single
> desc=Load hashes at startup
> ptype=SubStr
> continue=TakeNext
> pattern=SEC_RESTART
> context=SEC_INTERNAL_EVENT
> action=eval %a ( undef %hash;  \
> open(FILE, " while () { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
> $val; }); \
> eval %a (my $line; foreach (keys %hash) { $line .= "$_ = $hash{$_}\n";
> }; chomp($line); return $line);
>
> type=Single
> desc=WTF doesn't this work?!
> ptype=SubStr
> pattern=SEC_RESTART
> context=($hash{"GigabitEthernet1/37"})
> action=logonly Holy Guacamole!  It worked!
>
> tail -f /var/log/sec/
> =
> Wed Oct 19 13:36:16 2011: Reading configuration from /etc/sec/testing.sec
> Wed Oct 19 13:36:16 2011: 4 rules loaded from /etc/sec/testing.sec
> Wed Oct 19 13:36:16 2011: Creating SEC internal context
> 'SEC_INTERNAL_EVENT'
> Wed Oct 19 13:36:16 2011: Creating SEC internal event 'SEC_RESTART'
> Wed Oct 19 13:36:16 2011: Evaluating code 'undef %hash;  open(FILE,
> ") { chomp; my ($key, $val)
> = split /=/; $hash{"$key"} = $val; }' and setting variable '%a'
> Wed Oct 19 13:36:16 2011: Variable '%a' set to ''
> Wed Oct 19 13:36:16 2011: Evaluating code 'my $line; foreach (keys %hash) {
> $line .= "$_ = $hash{$_}\n"; }; chomp($line); return $line' and setting
> variable '%a'
> Wed Oct 19 13:36:16 2011: Variable '%a' set to 'GigabitEthernet3/16 =
> IMPORTANT SERVER
> GigabitEthernet1/37 = TEST SERVER'
> Wed Oct 19 13:36:16 2011: Deleting SEC internal context
> 'SEC_INTERNAL_EVENT'
>
>
>
>
>
>
> Justin J. Novack
> Official Disturber of the Peace
>
>
>
>
>
--
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] Defining a Map for Data

2011-10-19 Thread John P. Rouillard 

In message
 ,
"Justin J. Novack" writes:

>Excellent points, all.  I've decided to combine the two approaches.
>However, I'm stuck.
>
>As you can see below, I'm loading the hashes on startup, and the second rule
>doesn't run. :(  If I remove the context from the second rule, it runs fine.
>I don't think context =($perl_hash{$2})

But that's not what you have, although it is what I typoed 8-(.

>is a valid context or check.  If that is the case, how do I dump
>the hash to create contexts?
>
>On Tue, Oct 18, 2011 at 3:48 PM, John P. Rouillard 
> wrote:
>
>
>> I think adding a
>>
>>  context = system_name_$2
>>
>> or
>>
>>  context =($perl_hash{$2})

My bad. Forgot an extra = sign. Should have been

 context =   =($perl_hash{$2})

>> to your rules will fix that nicely. If the contexts/hash entry aren't
>> defined the rules don't fire.
>
>testing.sec
>=
>type=Single
>desc=Load hashes at startup
>ptype=SubStr
>continue=TakeNext
>pattern=SEC_RESTART
>context=SEC_INTERNAL_EVENT
>action=eval %a ( undef %hash;  \
>open(FILE, "while () { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
>$val; }); \
>eval %a (my $line; foreach (keys %hash) { $line .= "$_ = $hash{$_}\n";
>}; chomp($line); return $line);
>
>type=Single
>desc=WTF doesn't this work?!
>ptype=SubStr
>pattern=SEC_RESTART
>context=($hash{"GigabitEthernet1/37"})

context= =($hash{"GigabitEthernet1/37"})

Note the expression starting with the = sign.

See the manpage section CONTEXT EXPRESSIONS para 4 or so
starting with 'If the operand begins with the equal sign (=)'

--
-- rouilj
John Rouillard
===
My employers don't acknowledge my existence much less my opinions.

--
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] Defining a Map for Data - SOLVED

2011-10-19 Thread Justin J. Novack 
Again, thank you John, David, et. al.

My full solution is posted for reference.  Please feel free to include in
documentation.

/etc/sec/friendlynames.txt

GigabitEthernet1/37=TEST SERVER
GigabitEthernet3/39=IMPORTANT SERVER

/etc/sec/testing.sec
===
type=Single
desc=Load hashes at startup
ptype=SubStr
continue=TakeNext
pattern=SEC_STARTUP|SEC_RESTART
context=SEC_INTERNAL_EVENT
action=eval %a ( open(FILE, ") { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
$val; })

#Aug  1 12:14:54 switchname 362351: %LINK-3-UPDOWN: Interface
GigabitEthernet1/37, changed state to down
type=Single
desc=Fire Event
ptype=RegExp
pattern=%LINK-3-UPDOWN: Interface ([\w\/]+), changed state to down
context= =($hash{"$1"})
action=eval %host ( return $hash{"$1"}; ); logonly  Uh-oh! Problem with
%host 

>From here, you can do what you want with %host as normal.

(P.S. - David, since a reload will reload the hashes, does that count as
completing the extra credit? Do contexts persist a  'kill $PID -HUP'?)
---
Justin J. Novack
Official Disturber of the Peace
--
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] Defining a Map for Data - SOLVED

2011-10-19 Thread david 

On Wed, 19 Oct 2011, Justin J. Novack wrote:


Again, thank you John, David, et. al.

My full solution is posted for reference.  Please feel free to include in
documentation.

/etc/sec/friendlynames.txt

GigabitEthernet1/37=TEST SERVER
GigabitEthernet3/39=IMPORTANT SERVER

/etc/sec/testing.sec
===
type=Single
desc=Load hashes at startup
ptype=SubStr
continue=TakeNext
pattern=SEC_STARTUP|SEC_RESTART
context=SEC_INTERNAL_EVENT
action=eval %a ( open(FILE, ") { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
$val; })

#Aug  1 12:14:54 switchname 362351: %LINK-3-UPDOWN: Interface
GigabitEthernet1/37, changed state to down
type=Single
desc=Fire Event
ptype=RegExp
pattern=%LINK-3-UPDOWN: Interface ([\w\/]+), changed state to down
context= =($hash{"$1"})
action=eval %host ( return $hash{"$1"}; ); logonly  Uh-oh! Problem with
%host 


From here, you can do what you want with %host as normal.


(P.S. - David, since a reload will reload the hashes, does that count as
completing the extra credit? Do contexts persist a  'kill $PID -HUP'?)


I am thinking that they are lost on a -HUP because the -HUP recompiles the 
rules.


I am thinking that you need something along the lines of

type=Single
desc=Load hashes at startup
ptype=SubStr
continue=TakeNext
pattern=reload friendlynames.txt file
action=eval %a ( open(FILE, ") { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
$val; })

since you run things on reload, you probably need the clearing of the hash 
in your original version as well (since this file is something that 
usually only grows, the fact that a reload would not remove an entry from 
the hash is probably not a big problem, but in other contexts it will 
matter)


David Lang--

The demand for IT networking professionals continues to grow, and the

demand for specialized networking skills is growing even more rapidly.

Take a complimentary Learning@Ciosco Self-Assessment and learn 

about Cisco certifications, training, and career opportunities. 

http://p.sf.net/sfu/cisco-dev2dev___

Simple-evcorr-users mailing list

Simple-evcorr-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

--
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users