Re: [Simple-evcorr-users] Defining a Map for Data - SOLVED
David,
You are correct, sir!
Per the inline documentation:
# if SIGHUP has arrived, reopen input files and logfile, re-read
# configuration and empty all lists concerning events and correlation
# information; *if SIGABRT has arrived, behave like SIGHUP but preserve *
* # contexts that are active*
Mon Oct 24 12:45:52 2011: SIGHUP received: full restart of SEC
Mon Oct 24 12:45:52 2011: Reading configuration from /etc/sec/cisco/asa.sec
Mon Oct 24 12:45:52 2011: 21 rules loaded from /etc/sec/cisco/asa.sec
Mon Oct 24 12:45:52 2011: Creating SEC internal context 'SEC_INTERNAL_EVENT'
Mon Oct 24 12:45:52 2011: Creating SEC internal event 'SEC_RESTART'
Mon Oct 24 12:45:52 2011: Deleting SEC internal context 'SEC_INTERNAL_EVENT'
Mon Oct 24 12:57:09 2011: SIGABRT received: soft restart of SEC
Mon Oct 24 12:57:09 2011: Creating SEC internal context 'SEC_INTERNAL_EVENT'
Mon Oct 24 12:57:09 2011: Creating SEC internal event 'SEC_SOFTRESTART'
Mon Oct 24 12:57:09 2011: Deleting SEC internal context 'SEC_INTERNAL_EVENT'
A safer reload the hashes, without losing the contexts, is to send a KILL
$pid -ABRT after editing the file.
type=Single
desc=Dynamically reload Hashes
ptype=SubStr
continue=TakeNext
pattern=SEC_SOFT**RESTART
context=SEC_INTERNAL_EVENT
action=eval %a ( open(FILE, ") { chomp; my ($key, $val) = split /=/; $hash{"$key"} = $val;
})
Or, if feeling adventurous, it's merely a .pl file. We can always
roll-your-own SIG handler. :)
---
Justin J. Novack
Official Disturber of the Peace
On Wed, Oct 19, 2011 at 3:37 PM, wrote:
>
>
> I am thinking that they are lost on a -HUP because the -HUP recompiles the
> rules.
>
> I am thinking that you need something along the lines of
>
>
> type=Single
> desc=Load hashes at startup
> ptype=SubStr
> continue=TakeNext
> pattern=reload friendlynames.txt file
> action=eval %a ( open(FILE, "
> while () { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
> $val; })
>
> since you run things on reload, you probably need the clearing of the hash
> in your original version as well (since this file is something that usually
> only grows, the fact that a reload would not remove an entry from the hash
> is probably not a big problem, but in other contexts it will matter)
>
> David Lang
>
> --
> The demand for IT networking professionals continues to grow, and the
> demand for specialized networking skills is growing even more rapidly.
> Take a complimentary Learning@Ciosco Self-Assessment and learn
> about Cisco certifications, training, and career opportunities.
> http://p.sf.net/sfu/cisco-dev2dev
> ___
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
--
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Re: [Simple-evcorr-users] Defining a Map for Data - SOLVED
On Wed, 19 Oct 2011, Justin J. Novack wrote:
Again, thank you John, David, et. al.
My full solution is posted for reference. Please feel free to include in
documentation.
/etc/sec/friendlynames.txt
GigabitEthernet1/37=TEST SERVER
GigabitEthernet3/39=IMPORTANT SERVER
/etc/sec/testing.sec
===
type=Single
desc=Load hashes at startup
ptype=SubStr
continue=TakeNext
pattern=SEC_STARTUP|SEC_RESTART
context=SEC_INTERNAL_EVENT
action=eval %a ( open(FILE, ") { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
$val; })
#Aug 1 12:14:54 switchname 362351: %LINK-3-UPDOWN: Interface
GigabitEthernet1/37, changed state to down
type=Single
desc=Fire Event
ptype=RegExp
pattern=%LINK-3-UPDOWN: Interface ([\w\/]+), changed state to down
context= =($hash{"$1"})
action=eval %host ( return $hash{"$1"}; ); logonly Uh-oh! Problem with
%host
From here, you can do what you want with %host as normal.
(P.S. - David, since a reload will reload the hashes, does that count as
completing the extra credit? Do contexts persist a 'kill $PID -HUP'?)
I am thinking that they are lost on a -HUP because the -HUP recompiles the
rules.
I am thinking that you need something along the lines of
type=Single
desc=Load hashes at startup
ptype=SubStr
continue=TakeNext
pattern=reload friendlynames.txt file
action=eval %a ( open(FILE, ") { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
$val; })
since you run things on reload, you probably need the clearing of the hash
in your original version as well (since this file is something that
usually only grows, the fact that a reload would not remove an entry from
the hash is probably not a big problem, but in other contexts it will
matter)
David Lang--
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
--
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Re: [Simple-evcorr-users] Defining a Map for Data - SOLVED
Again, thank you John, David, et. al.
My full solution is posted for reference. Please feel free to include in
documentation.
/etc/sec/friendlynames.txt
GigabitEthernet1/37=TEST SERVER
GigabitEthernet3/39=IMPORTANT SERVER
/etc/sec/testing.sec
===
type=Single
desc=Load hashes at startup
ptype=SubStr
continue=TakeNext
pattern=SEC_STARTUP|SEC_RESTART
context=SEC_INTERNAL_EVENT
action=eval %a ( open(FILE, ") { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
$val; })
#Aug 1 12:14:54 switchname 362351: %LINK-3-UPDOWN: Interface
GigabitEthernet1/37, changed state to down
type=Single
desc=Fire Event
ptype=RegExp
pattern=%LINK-3-UPDOWN: Interface ([\w\/]+), changed state to down
context= =($hash{"$1"})
action=eval %host ( return $hash{"$1"}; ); logonly Uh-oh! Problem with
%host
>From here, you can do what you want with %host as normal.
(P.S. - David, since a reload will reload the hashes, does that count as
completing the extra credit? Do contexts persist a 'kill $PID -HUP'?)
---
Justin J. Novack
Official Disturber of the Peace
--
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Re: [Simple-evcorr-users] Defining a Map for Data
In message
,
"Justin J. Novack" writes:
>Excellent points, all. I've decided to combine the two approaches.
>However, I'm stuck.
>
>As you can see below, I'm loading the hashes on startup, and the second rule
>doesn't run. :( If I remove the context from the second rule, it runs fine.
>I don't think context =($perl_hash{$2})
But that's not what you have, although it is what I typoed 8-(.
>is a valid context or check. If that is the case, how do I dump
>the hash to create contexts?
>
>On Tue, Oct 18, 2011 at 3:48 PM, John P. Rouillard
> wrote:
>
>
>> I think adding a
>>
>> context = system_name_$2
>>
>> or
>>
>> context =($perl_hash{$2})
My bad. Forgot an extra = sign. Should have been
context = =($perl_hash{$2})
>> to your rules will fix that nicely. If the contexts/hash entry aren't
>> defined the rules don't fire.
>
>testing.sec
>=
>type=Single
>desc=Load hashes at startup
>ptype=SubStr
>continue=TakeNext
>pattern=SEC_RESTART
>context=SEC_INTERNAL_EVENT
>action=eval %a ( undef %hash; \
>open(FILE, "while () { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
>$val; }); \
>eval %a (my $line; foreach (keys %hash) { $line .= "$_ = $hash{$_}\n";
>}; chomp($line); return $line);
>
>type=Single
>desc=WTF doesn't this work?!
>ptype=SubStr
>pattern=SEC_RESTART
>context=($hash{"GigabitEthernet1/37"})
context= =($hash{"GigabitEthernet1/37"})
Note the expression starting with the = sign.
See the manpage section CONTEXT EXPRESSIONS para 4 or so
starting with 'If the operand begins with the equal sign (=)'
--
-- rouilj
John Rouillard
===
My employers don't acknowledge my existence much less my opinions.
--
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Re: [Simple-evcorr-users] Defining a Map for Data
Sorry for the double post, I wanted to post an intermediate solution:
The correct context line for the second rule would be:
context= =(if (exists $hash{"GigabitEthernet1/37"}) { return 1;} )
This should be the last stumbling block...
--
Justin J. Novack
Official Disturber of the Peace
On Wed, Oct 19, 2011 at 1:52 PM, Justin J. Novack wrote:
> Excellent points, all. I've decided to combine the two approaches.
> However, I'm stuck.
>
> As you can see below, I'm loading the hashes on startup, and the second
> rule doesn't run. :( If I remove the context from the second rule, it runs
> fine. I don't think context =($perl_hash{$2}) is a valid context or check.
> If that is the case, how do I dump the hash to create contexts?
>
> On Tue, Oct 18, 2011 at 3:48 PM, John P. Rouillard
> wrote:
>
>
>> I think adding a
>>
>> context = system_name_$2
>>
>> or
>>
>> context =($perl_hash{$2})
>>
>> to your rules will fix that nicely. If the contexts/hash entry aren't
>> defined the rules don't fire.
>
>
>
> testing.sec
> =
> type=Single
> desc=Load hashes at startup
> ptype=SubStr
> continue=TakeNext
> pattern=SEC_RESTART
> context=SEC_INTERNAL_EVENT
> action=eval %a ( undef %hash; \
> open(FILE, " while () { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
> $val; }); \
> eval %a (my $line; foreach (keys %hash) { $line .= "$_ = $hash{$_}\n";
> }; chomp($line); return $line);
>
> type=Single
> desc=WTF doesn't this work?!
> ptype=SubStr
> pattern=SEC_RESTART
> context=($hash{"GigabitEthernet1/37"})
> action=logonly Holy Guacamole! It worked!
>
> tail -f /var/log/sec/
> =
> Wed Oct 19 13:36:16 2011: Reading configuration from /etc/sec/testing.sec
> Wed Oct 19 13:36:16 2011: 4 rules loaded from /etc/sec/testing.sec
> Wed Oct 19 13:36:16 2011: Creating SEC internal context
> 'SEC_INTERNAL_EVENT'
> Wed Oct 19 13:36:16 2011: Creating SEC internal event 'SEC_RESTART'
> Wed Oct 19 13:36:16 2011: Evaluating code 'undef %hash; open(FILE,
> ") { chomp; my ($key, $val)
> = split /=/; $hash{"$key"} = $val; }' and setting variable '%a'
> Wed Oct 19 13:36:16 2011: Variable '%a' set to ''
> Wed Oct 19 13:36:16 2011: Evaluating code 'my $line; foreach (keys %hash) {
> $line .= "$_ = $hash{$_}\n"; }; chomp($line); return $line' and setting
> variable '%a'
> Wed Oct 19 13:36:16 2011: Variable '%a' set to 'GigabitEthernet3/16 =
> IMPORTANT SERVER
> GigabitEthernet1/37 = TEST SERVER'
> Wed Oct 19 13:36:16 2011: Deleting SEC internal context
> 'SEC_INTERNAL_EVENT'
>
>
>
>
>
>
> Justin J. Novack
> Official Disturber of the Peace
>
>
>
>
>
--
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Re: [Simple-evcorr-users] Defining a Map for Data
Excellent points, all. I've decided to combine the two approaches.
However, I'm stuck.
As you can see below, I'm loading the hashes on startup, and the second rule
doesn't run. :( If I remove the context from the second rule, it runs fine.
I don't think context =($perl_hash{$2}) is a valid context or check. If
that is the case, how do I dump the hash to create contexts?
On Tue, Oct 18, 2011 at 3:48 PM, John P. Rouillard
wrote:
> I think adding a
>
> context = system_name_$2
>
> or
>
> context =($perl_hash{$2})
>
> to your rules will fix that nicely. If the contexts/hash entry aren't
> defined the rules don't fire.
testing.sec
=
type=Single
desc=Load hashes at startup
ptype=SubStr
continue=TakeNext
pattern=SEC_RESTART
context=SEC_INTERNAL_EVENT
action=eval %a ( undef %hash; \
open(FILE, ") { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
$val; }); \
eval %a (my $line; foreach (keys %hash) { $line .= "$_ = $hash{$_}\n";
}; chomp($line); return $line);
type=Single
desc=WTF doesn't this work?!
ptype=SubStr
pattern=SEC_RESTART
context=($hash{"GigabitEthernet1/37"})
action=logonly Holy Guacamole! It worked!
tail -f /var/log/sec/
=
Wed Oct 19 13:36:16 2011: Reading configuration from /etc/sec/testing.sec
Wed Oct 19 13:36:16 2011: 4 rules loaded from /etc/sec/testing.sec
Wed Oct 19 13:36:16 2011: Creating SEC internal context 'SEC_INTERNAL_EVENT'
Wed Oct 19 13:36:16 2011: Creating SEC internal event 'SEC_RESTART'
Wed Oct 19 13:36:16 2011: Evaluating code 'undef %hash; open(FILE,
") { chomp; my ($key, $val)
= split /=/; $hash{"$key"} = $val; }' and setting variable '%a'
Wed Oct 19 13:36:16 2011: Variable '%a' set to ''
Wed Oct 19 13:36:16 2011: Evaluating code 'my $line; foreach (keys %hash) {
$line .= "$_ = $hash{$_}\n"; }; chomp($line); return $line' and setting
variable '%a'
Wed Oct 19 13:36:16 2011: Variable '%a' set to 'GigabitEthernet3/16 =
IMPORTANT SERVER
GigabitEthernet1/37 = TEST SERVER'
Wed Oct 19 13:36:16 2011: Deleting SEC internal context 'SEC_INTERNAL_EVENT'
Justin J. Novack
Official Disturber of the Peace
--
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Re: [Simple-evcorr-users] Defining a Map for Data
In message
,
"Justin J. Novack" writes:
>Great idea, however, now all 432 ports on my device would send out an email
>on flap, rather than the 60 important ones. This would be perfect if an
>entire switch needed friendly names.
I think adding a
context = system_name_$2
or
context =($perl_hash{$2})
to your rules will fix that nicely. If the contexts/hash entry's
aren't defined the rules don't fire. Since you would check to see if
the switch port has a pretty name you can simply the actions by not
emptying the variables first since there will always be a value if the
action triggers.
You could also move this to the action's shell command:
pipe ... 'var=`grep $2 /file/mapping` && /bin/mail ... -s "ERROR $$var "'
(I think $$ is the substitution token to put a single $ in the actual
string.) But if you are ignoring that many ports the fork/exec time
for all those processes that are going to exit seems excessive.
>As for David's suggestion, this would also be the case, however, I could
>error out (silently) if it doesn't match something in the hash. I would
>still need to call a shellcmd, I don't just email, I also trigger additional
>alerts like sounds and phones with the shellcmd announce.php, I'm happy to
>call that separately. At that point, I might as well just offload EVERY
>event to different perl files and fail silently if the switch/port
>combination is not in a hash/map.
>
>Are these ways any safer(?) or less performance intensive than 60+ rules?
Using David's or my methods are a lot less intensive than 60+ rules as
the majority of the computation effort in most SEC installations is
the pattern/regexp match for the rule. Assuming a server that you care
about can randomly error, you will have to compare and fail to match
30 regexps (1/2 the servers won't match on average) to find the server
that matches. If the port reporting the error doesn't match any
server, you would have to do 60 regexp comparisons to reach that
conclusion.
With the methods David and I suggest it's one regexp match to extract
data then a lookup to see what has to be done next. Much much less
computational effort.
>My initial thought was to write a template and seed file (ala Section 4.2
>http://sixshooter.v6.thrupoint.net/SEC-examples/article-part2.html#SECPERFORMANCE)
On that page, look at the performance differences between 1 rule and
50 rules in 'Table 2. SEC Performance With Data Processed Through
syslogd'. With the same input the 50 rule case takes 2-5 times more
wall clock run time and 10-~18 times the actual time spent working the
cpu in user time.
Also see section 4 "Strategies to improve performance" of
http://www.cs.umb.edu/~rouilj/sec/sec_paper_full.pdf linked from
http://www.cs.umb.edu/~rouilj/sec/.
>and just deal with adding a line (for each friendly named port) and
>recompiling the rules file every time I want to change.
If your port churn rate is low enough you can do this. But remember
every time you recompile the rules files, you destroy any pending
correlation operations that came from rules in that rule file. There
are ways around that, but they really aren't worth the trouble if
there is another way to accomplish the same thing.
--
-- rouilj
John Rouillard
===
My employers don't acknowledge my existence much less my opinions.
--
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Re: [Simple-evcorr-users] Defining a Map for Data
On Tue, 18 Oct 2011, Justin J. Novack wrote:
> Great idea, however, now all 432 ports on my device would send out an email
> on flap, rather than the 60 important ones. This would be perfect if an
> entire switch needed friendly names.
>
> As for David's suggestion, this would also be the case, however, I could
> error out (silently) if it doesn't match something in the hash. I would
> still need to call a shellcmd, I don't just email, I also trigger additional
> alerts like sounds and phones with the shellcmd announce.php, I'm happy to
> call that separately. At that point, I might as well just offload EVERY
> event to different perl files and fail silently if the switch/port
> combination is not in a hash/map.
>
> Are these ways any safer(?) or less performance intensive than 60+ rules?
> My initial thought was to write a template and seed file (ala Section 4.2
> http://sixshooter.v6.thrupoint.net/SEC-examples/article-part2.html#SECPERFORMANCE)
> and just deal with adding a line (for each friendly named port) and
> recompiling the rules file every time I want to change.
>
> Thoughts?
regex matches are expensive (even in perl), if you can replace many regex
matches with one perl match you will gain a lot of efficiency.
forexample, instead of your current match
pattern=\w+\s+\d+\s\d+:\d+:\d+\s(switch).*LINK-3-UPDOWN.*Interface
(GigabitEthernet4\/38), changed state to down
you could replace it with a perl snippet along the lines of:
pattern= sub (@junk = split(' ',substr($[0],17)); if (exists
%serverhash{$junk[8]} && $junk[4] eq 'LINK-3-UPDOWN') {return $_;}
this will return the line as $0 if the line is a 'LINK-3-UPDOWN' event and
the interface is in the serverhash list. you can easily add additional
parsing of the line in perl to pull apart the data in other ways.
doing a split on space is far cheaper than evaluating a lengthy regex,
especially with a lot of \w+ \s+ \d+ type entries. with a default syslog
line you need to do the split on the substring starting with column 17
because the date will have an extra space in it for the first 9 days of
each month.
David Lang
> --
> Justin J. Novack
> Official Disturber of the Peace
>
>
> On Tue, Oct 18, 2011 at 1:52 PM, John P. Rouillard wrote:
>
>>
>> In message
>> ,
>> "Justin J. Novack" writes:
>>> [...]
>>> I could tap the collective knowledge. My dilemma is that I'd like to be
>>> able to email out a friendly name for a port if one should exist.
>>>
>>> Rather than writing a x number of rules for x number of ports with a
>>> friendly name, (Port 1 belongs to EXCHANGE, port 2 belongs to
>>> DOMAINCONTROLLER, port 3 belongs to DNSSERVER, etc), I was wondering if
>>> there is a way to reference a map (by an external file or written within
>> the
>>> rule itself).
>>
>> You could use `grep interface name /file/mapping` in the commands
>> where you invoke the shell. Alternatively you could call a shell
>> script that interfaces to your inventory management system and does a
>> lookup so when the IMS changes mappings, you get the change
>> automatically.
>>
>> action=pipe '%s' /bin/mail -s '[ERROR] `grep '^$2' /file/mapping`
>> LINK_DOWN!' n...@domain.net;
>>
>> for example.
>>
>>> My admins don't know what Ethernet4/38 maps to, and they shouldn't be
>>> expected to memorize it. So currently I have to write the following rule:
>>>
>>> # IMPORTANT SERVER 1
>>> type=Single
>>> ptype=RegExp
>>> pattern=\w+\s+\d+\s\d+:\d+:\d+\s(switch).*LINK-3-UPDOWN.*Interface
>>> (GigabitEthernet4\/38), changed state to down
>>> desc=(MAJOR) $1 interface $2 DOWN!
>>> action=pipe '%s' /bin/mail -s '[ERROR] IMPORTANT SERVER 1 LINK_DOWN!'
>>> n...@domain.net; \
>>>shellcmd /usr/bin/php /home/scripts/announce.php "IMPORTANT SERVER
>>> 1 Link DOWN" "%s" 9
>>> [...]
>>> Multiply that over each port needed, and I am swamped in rules. Is it
>>> possible to utilize a mapping function so I have to write that rule once,
>>> but I can map interfaces with friendly names?
>>>
>>> GigabitEthernet4/38, IMPORTANT SERVER 1
>>> GigabitEthernet4/39, IMPORTANT SERVER 2
>>> GigabitEthernet4/40, IMPORTANT SERVER 3
>>
>> I can see a couple of other ways of doing this inside of sec, but I am
>> not sure it's easier/better than using `` in the command output:
>> 1) use contexts
>> 2) use a perl associative array
>>
>> The context could be called server_for_GigabitEthernet4/38 and have
>> the value IMPORTANT SERVER 1. To populate it a rule like:
>>
>> type = single
>> ptype = regexp
>> pattern = ^set (GigabitEthernet[0-9/]*) (.*)
>> action = fill server_for_$1 $2
>>
>> and generate a series of events/input lines like:
>>
>> set GigabitEthernet4/40 IMPORTANT SERVER 3
>>
>> into SEC (see the mailing list archives for doing this over a secure
>> control channel).
>>
>> Then to use the mapping:
>>
>> action2=assign %S; copy server_for_$2 %S; pipe '%s' /bin/mail -s
>> '[WARNING] %S Link Bounce' n...@domain.net; ...
>>
>> Note I may have some syntax off as I am doing this
Re: [Simple-evcorr-users] Defining a Map for Data
Great idea, however, now all 432 ports on my device would send out an email
on flap, rather than the 60 important ones. This would be perfect if an
entire switch needed friendly names.
As for David's suggestion, this would also be the case, however, I could
error out (silently) if it doesn't match something in the hash. I would
still need to call a shellcmd, I don't just email, I also trigger additional
alerts like sounds and phones with the shellcmd announce.php, I'm happy to
call that separately. At that point, I might as well just offload EVERY
event to different perl files and fail silently if the switch/port
combination is not in a hash/map.
Are these ways any safer(?) or less performance intensive than 60+ rules?
My initial thought was to write a template and seed file (ala Section 4.2
http://sixshooter.v6.thrupoint.net/SEC-examples/article-part2.html#SECPERFORMANCE)
and just deal with adding a line (for each friendly named port) and
recompiling the rules file every time I want to change.
Thoughts?
--
Justin J. Novack
Official Disturber of the Peace
On Tue, Oct 18, 2011 at 1:52 PM, John P. Rouillard wrote:
>
> In message
> ,
> "Justin J. Novack" writes:
> > [...]
> >I could tap the collective knowledge. My dilemma is that I'd like to be
> >able to email out a friendly name for a port if one should exist.
> >
> >Rather than writing a x number of rules for x number of ports with a
> >friendly name, (Port 1 belongs to EXCHANGE, port 2 belongs to
> >DOMAINCONTROLLER, port 3 belongs to DNSSERVER, etc), I was wondering if
> >there is a way to reference a map (by an external file or written within
> the
> >rule itself).
>
> You could use `grep interface name /file/mapping` in the commands
> where you invoke the shell. Alternatively you could call a shell
> script that interfaces to your inventory management system and does a
> lookup so when the IMS changes mappings, you get the change
> automatically.
>
> action=pipe '%s' /bin/mail -s '[ERROR] `grep '^$2' /file/mapping`
> LINK_DOWN!' n...@domain.net;
>
> for example.
>
> >My admins don't know what Ethernet4/38 maps to, and they shouldn't be
> >expected to memorize it. So currently I have to write the following rule:
> >
> ># IMPORTANT SERVER 1
> >type=Single
> >ptype=RegExp
> >pattern=\w+\s+\d+\s\d+:\d+:\d+\s(switch).*LINK-3-UPDOWN.*Interface
> >(GigabitEthernet4\/38), changed state to down
> >desc=(MAJOR) $1 interface $2 DOWN!
> >action=pipe '%s' /bin/mail -s '[ERROR] IMPORTANT SERVER 1 LINK_DOWN!'
> >n...@domain.net; \
> >shellcmd /usr/bin/php /home/scripts/announce.php "IMPORTANT SERVER
> >1 Link DOWN" "%s" 9
> > [...]
> >Multiply that over each port needed, and I am swamped in rules. Is it
> >possible to utilize a mapping function so I have to write that rule once,
> >but I can map interfaces with friendly names?
> >
> >GigabitEthernet4/38, IMPORTANT SERVER 1
> >GigabitEthernet4/39, IMPORTANT SERVER 2
> >GigabitEthernet4/40, IMPORTANT SERVER 3
>
> I can see a couple of other ways of doing this inside of sec, but I am
> not sure it's easier/better than using `` in the command output:
> 1) use contexts
> 2) use a perl associative array
>
> The context could be called server_for_GigabitEthernet4/38 and have
> the value IMPORTANT SERVER 1. To populate it a rule like:
>
> type = single
> ptype = regexp
> pattern = ^set (GigabitEthernet[0-9/]*) (.*)
> action = fill server_for_$1 $2
>
> and generate a series of events/input lines like:
>
> set GigabitEthernet4/40 IMPORTANT SERVER 3
>
> into SEC (see the mailing list archives for doing this over a secure
> control channel).
>
> Then to use the mapping:
>
> action2=assign %S; copy server_for_$2 %S; pipe '%s' /bin/mail -s
> '[WARNING] %S Link Bounce' n...@domain.net; ...
>
> Note I may have some syntax off as I am doing this from memory. The
> assign is needed to wipe any prior value and the copy pulls the value
> from the context.
>
> You can also do something similar using a perl associative array
> replacing the fill ... from above with
>
> eval %v ($ServerName{$1} = '$2')
>
> using the same single rule. To retrieve the value use something like:
>
> eval %S ($ServerName{$2})
>
> which will return the value or use some extra perl (... || "Unknown
> server" perhaps??) to return a default value if the key doesn't
> exist. Note there may need to be a return or some other perlish syntax
> around $ServerName{$1}. I'm not in a position to test at the moment.
>
> All of these alternatives allow you to change the mappings on the fly
> using input to SEC (or rewriting an external file) which is usually
> wanted since a change in the wiring infrastructure shouldn't require a
> restart of SEC.
>
> --
>-- rouilj
> John Rouillard
> ===
> My employers don't acknowledge my existence much less my opinions.
>
--
All
Re: [Simple-evcorr-users] Defining a Map for Data
On Tue, 18 Oct 2011, Justin J. Novack wrote: Hello Everyone, Nothing relevant has turned up in a search of the archives, so I was hoping I could tap the collective knowledge. My dilemma is that I'd like to be able to email out a friendly name for a port if one should exist. Rather than writing a x number of rules for x number of ports with a friendly name, (Port 1 belongs to EXCHANGE, port 2 belongs to DOMAINCONTROLLER, port 3 belongs to DNSSERVER, etc), I was wondering if there is a way to reference a map (by an external file or written within the rule itself). My admins don't know what Ethernet4/38 maps to, and they shouldn't be expected to memorize it. So currently I have to write the following rule: # IMPORTANT SERVER 1 type=Single ptype=RegExp pattern=\w+\s+\d+\s\d+:\d+:\d+\s(switch).*LINK-3-UPDOWN.*Interface (GigabitEthernet4\/38), changed state to down desc=(MAJOR) $1 interface $2 DOWN! action=pipe '%s' /bin/mail -s '[ERROR] IMPORTANT SERVER 1 LINK_DOWN!' n...@domain.net; \ shellcmd /usr/bin/php /home/scripts/announce.php "IMPORTANT SERVER 1 Link DOWN" "%s" 9 type=PairWithWindow ptype=RegExp pattern=\w+\s+\d+\s\d+:\d+:\d+\s(switch).*LINK-3-UPDOWN.*Interface (GigabitEthernet4\/38), changed state to down desc=(MAJOR) $1 interface $2 DOWN and not up for 30 seconds! action=pipe '%s' /bin/mail -s '[ERROR] IMPORTANT SERVER 1 LINK_DOWN for 30 seconds!' n...@domain.net; \ shellcmd /usr/bin/php /home/scripts/announce.php "IMPORTANT SERVER 1 Link DOWN after 30 seconds" "%s" 9 ptype2=RegExp pattern2=\w+\s+\d+\s\d+:\d+:\d+\s($1).*LINK-3-UPDOWN.*Interface ($2), changed state to up desc2=(MINOR) %1 interface %2 BOUNCE within 30 seconds. action2=pipe '%s' /bin/mail -s '[WARNING] IMPORTANT SERVER 1 Link Bounce' n...@domain.net; \ shellcmd /usr/bin/php /home/scripts/announce.php "IMPORTANT SERVER 1 Link Bounce" "%s" 9 window=30 Multiply that over each port needed, and I am swamped in rules. Is it possible to utilize a mapping function so I have to write that rule once, but I can map interfaces with friendly names? GigabitEthernet4/38, IMPORTANT SERVER 1 GigabitEthernet4/39, IMPORTANT SERVER 2 GigabitEthernet4/40, IMPORTANT SERVER 3 create a STARTUP event that executes perl and reads a file into a perl hash then change your rules to execute a perl snippet instead of a shellcmd and you can reference the perl hash as extra credit, create a rule such that when you send a specific message through the log, it will clear and reload the perl hash from the file. David Lang-- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct___ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct___ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
Re: [Simple-evcorr-users] Defining a Map for Data
In message
,
"Justin J. Novack" writes:
> [...]
>I could tap the collective knowledge. My dilemma is that I'd like to be
>able to email out a friendly name for a port if one should exist.
>
>Rather than writing a x number of rules for x number of ports with a
>friendly name, (Port 1 belongs to EXCHANGE, port 2 belongs to
>DOMAINCONTROLLER, port 3 belongs to DNSSERVER, etc), I was wondering if
>there is a way to reference a map (by an external file or written within the
>rule itself).
You could use `grep interface name /file/mapping` in the commands
where you invoke the shell. Alternatively you could call a shell
script that interfaces to your inventory management system and does a
lookup so when the IMS changes mappings, you get the change
automatically.
action=pipe '%s' /bin/mail -s '[ERROR] `grep '^$2' /file/mapping` LINK_DOWN!'
n...@domain.net;
for example.
>My admins don't know what Ethernet4/38 maps to, and they shouldn't be
>expected to memorize it. So currently I have to write the following rule:
>
># IMPORTANT SERVER 1
>type=Single
>ptype=RegExp
>pattern=\w+\s+\d+\s\d+:\d+:\d+\s(switch).*LINK-3-UPDOWN.*Interface
>(GigabitEthernet4\/38), changed state to down
>desc=(MAJOR) $1 interface $2 DOWN!
>action=pipe '%s' /bin/mail -s '[ERROR] IMPORTANT SERVER 1 LINK_DOWN!'
>n...@domain.net; \
>shellcmd /usr/bin/php /home/scripts/announce.php "IMPORTANT SERVER
>1 Link DOWN" "%s" 9
> [...]
>Multiply that over each port needed, and I am swamped in rules. Is it
>possible to utilize a mapping function so I have to write that rule once,
>but I can map interfaces with friendly names?
>
>GigabitEthernet4/38, IMPORTANT SERVER 1
>GigabitEthernet4/39, IMPORTANT SERVER 2
>GigabitEthernet4/40, IMPORTANT SERVER 3
I can see a couple of other ways of doing this inside of sec, but I am
not sure it's easier/better than using `` in the command output:
1) use contexts
2) use a perl associative array
The context could be called server_for_GigabitEthernet4/38 and have
the value IMPORTANT SERVER 1. To populate it a rule like:
type = single
ptype = regexp
pattern = ^set (GigabitEthernet[0-9/]*) (.*)
action = fill server_for_$1 $2
and generate a series of events/input lines like:
set GigabitEthernet4/40 IMPORTANT SERVER 3
into SEC (see the mailing list archives for doing this over a secure
control channel).
Then to use the mapping:
action2=assign %S; copy server_for_$2 %S; pipe '%s' /bin/mail -s '[WARNING]
%S Link Bounce' n...@domain.net; ...
Note I may have some syntax off as I am doing this from memory. The
assign is needed to wipe any prior value and the copy pulls the value
from the context.
You can also do something similar using a perl associative array
replacing the fill ... from above with
eval %v ($ServerName{$1} = '$2')
using the same single rule. To retrieve the value use something like:
eval %S ($ServerName{$2})
which will return the value or use some extra perl (... || "Unknown
server" perhaps??) to return a default value if the key doesn't
exist. Note there may need to be a return or some other perlish syntax
around $ServerName{$1}. I'm not in a position to test at the moment.
All of these alternatives allow you to change the mappings on the fly
using input to SEC (or rewriting an external file) which is usually
wanted since a change in the wiring infrastructure shouldn't require a
restart of SEC.
--
-- rouilj
John Rouillard
===
My employers don't acknowledge my existence much less my opinions.
--
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
[Simple-evcorr-users] Defining a Map for Data
Hello Everyone, Nothing relevant has turned up in a search of the archives, so I was hoping I could tap the collective knowledge. My dilemma is that I'd like to be able to email out a friendly name for a port if one should exist. Rather than writing a x number of rules for x number of ports with a friendly name, (Port 1 belongs to EXCHANGE, port 2 belongs to DOMAINCONTROLLER, port 3 belongs to DNSSERVER, etc), I was wondering if there is a way to reference a map (by an external file or written within the rule itself). My admins don't know what Ethernet4/38 maps to, and they shouldn't be expected to memorize it. So currently I have to write the following rule: # IMPORTANT SERVER 1 type=Single ptype=RegExp pattern=\w+\s+\d+\s\d+:\d+:\d+\s(switch).*LINK-3-UPDOWN.*Interface (GigabitEthernet4\/38), changed state to down desc=(MAJOR) $1 interface $2 DOWN! action=pipe '%s' /bin/mail -s '[ERROR] IMPORTANT SERVER 1 LINK_DOWN!' n...@domain.net; \ shellcmd /usr/bin/php /home/scripts/announce.php "IMPORTANT SERVER 1 Link DOWN" "%s" 9 type=PairWithWindow ptype=RegExp pattern=\w+\s+\d+\s\d+:\d+:\d+\s(switch).*LINK-3-UPDOWN.*Interface (GigabitEthernet4\/38), changed state to down desc=(MAJOR) $1 interface $2 DOWN and not up for 30 seconds! action=pipe '%s' /bin/mail -s '[ERROR] IMPORTANT SERVER 1 LINK_DOWN for 30 seconds!' n...@domain.net; \ shellcmd /usr/bin/php /home/scripts/announce.php "IMPORTANT SERVER 1 Link DOWN after 30 seconds" "%s" 9 ptype2=RegExp pattern2=\w+\s+\d+\s\d+:\d+:\d+\s($1).*LINK-3-UPDOWN.*Interface ($2), changed state to up desc2=(MINOR) %1 interface %2 BOUNCE within 30 seconds. action2=pipe '%s' /bin/mail -s '[WARNING] IMPORTANT SERVER 1 Link Bounce' n...@domain.net; \ shellcmd /usr/bin/php /home/scripts/announce.php "IMPORTANT SERVER 1 Link Bounce" "%s" 9 window=30 Multiply that over each port needed, and I am swamped in rules. Is it possible to utilize a mapping function so I have to write that rule once, but I can map interfaces with friendly names? GigabitEthernet4/38, IMPORTANT SERVER 1 GigabitEthernet4/39, IMPORTANT SERVER 2 GigabitEthernet4/40, IMPORTANT SERVER 3 Thank you kindly, -- Justin J. Novack Official Disturber of the Peace -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct___ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
