subject:"Re\: \[Simple\-evcorr\-users\] Defining a Map for Data \- SOLVED"

Re: [Simple-evcorr-users] Defining a Map for Data - SOLVED

2011-10-24 Thread Justin J. Novack

David,

You are correct, sir!

Per the inline documentation:

  # if SIGHUP has arrived, reopen input files and logfile, re-read
  # configuration and empty all lists concerning events and correlation
  # information; *if SIGABRT has arrived, behave like SIGHUP but preserve *
*  # contexts that are active*


Mon Oct 24 12:45:52 2011: SIGHUP received: full restart of SEC
Mon Oct 24 12:45:52 2011: Reading configuration from /etc/sec/cisco/asa.sec
Mon Oct 24 12:45:52 2011: 21 rules loaded from /etc/sec/cisco/asa.sec
Mon Oct 24 12:45:52 2011: Creating SEC internal context 'SEC_INTERNAL_EVENT'
Mon Oct 24 12:45:52 2011: Creating SEC internal event 'SEC_RESTART'
Mon Oct 24 12:45:52 2011: Deleting SEC internal context 'SEC_INTERNAL_EVENT'


Mon Oct 24 12:57:09 2011: SIGABRT received: soft restart of SEC
Mon Oct 24 12:57:09 2011: Creating SEC internal context 'SEC_INTERNAL_EVENT'
Mon Oct 24 12:57:09 2011: Creating SEC internal event 'SEC_SOFTRESTART'
Mon Oct 24 12:57:09 2011: Deleting SEC internal context 'SEC_INTERNAL_EVENT'

A safer reload the hashes, without losing the contexts, is to send a KILL
$pid -ABRT after editing the file.

type=Single
desc=Dynamically reload Hashes
ptype=SubStr
continue=TakeNext
pattern=SEC_SOFT**RESTART
context=SEC_INTERNAL_EVENT
action=eval %a ( open(FILE, ") { chomp; my ($key, $val) = split /=/; $hash{"$key"} = $val;
})

Or, if feeling adventurous, it's merely a .pl file.  We can always
roll-your-own SIG handler. :)

---
Justin J. Novack
Official Disturber of the Peace


On Wed, Oct 19, 2011 at 3:37 PM,  wrote:
>
>
> I am thinking that they are lost on a -HUP because the -HUP recompiles the
> rules.
>
> I am thinking that you need something along the lines of
>
>
> type=Single
> desc=Load hashes at startup
> ptype=SubStr
> continue=TakeNext
> pattern=reload friendlynames.txt file
> action=eval %a ( open(FILE, "
>   while () { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
> $val; })
>
> since you run things on reload, you probably need the clearing of the hash
> in your original version as well (since this file is something that usually
> only grows, the fact that a reload would not remove an entry from the hash
> is probably not a big problem, but in other contexts it will matter)
>
> David Lang
>
> --
> The demand for IT networking professionals continues to grow, and the
> demand for specialized networking skills is growing even more rapidly.
> Take a complimentary Learning@Ciosco Self-Assessment and learn
> about Cisco certifications, training, and career opportunities.
> http://p.sf.net/sfu/cisco-dev2dev
> ___
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
--
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] Defining a Map for Data - SOLVED

2011-10-19 Thread david


On Wed, 19 Oct 2011, Justin J. Novack wrote:


Again, thank you John, David, et. al.

My full solution is posted for reference.  Please feel free to include in
documentation.

/etc/sec/friendlynames.txt

GigabitEthernet1/37=TEST SERVER
GigabitEthernet3/39=IMPORTANT SERVER

/etc/sec/testing.sec
===
type=Single
desc=Load hashes at startup
ptype=SubStr
continue=TakeNext
pattern=SEC_STARTUP|SEC_RESTART
context=SEC_INTERNAL_EVENT
action=eval %a ( open(FILE, ") { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
$val; })

#Aug  1 12:14:54 switchname 362351: %LINK-3-UPDOWN: Interface
GigabitEthernet1/37, changed state to down
type=Single
desc=Fire Event
ptype=RegExp
pattern=%LINK-3-UPDOWN: Interface ([\w\/]+), changed state to down
context= =($hash{"$1"})
action=eval %host ( return $hash{"$1"}; ); logonly  Uh-oh! Problem with
%host 


From here, you can do what you want with %host as normal.


(P.S. - David, since a reload will reload the hashes, does that count as
completing the extra credit? Do contexts persist a  'kill $PID -HUP'?)


I am thinking that they are lost on a -HUP because the -HUP recompiles the 
rules.


I am thinking that you need something along the lines of

type=Single
desc=Load hashes at startup
ptype=SubStr
continue=TakeNext
pattern=reload friendlynames.txt file
action=eval %a ( open(FILE, ") { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
$val; })

since you run things on reload, you probably need the clearing of the hash 
in your original version as well (since this file is something that 
usually only grows, the fact that a reload would not remove an entry from 
the hash is probably not a big problem, but in other contexts it will 
matter)


David Lang--

The demand for IT networking professionals continues to grow, and the

demand for specialized networking skills is growing even more rapidly.

Take a complimentary Learning@Ciosco Self-Assessment and learn 

about Cisco certifications, training, and career opportunities. 

http://p.sf.net/sfu/cisco-dev2dev___

Simple-evcorr-users mailing list

Simple-evcorr-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

--
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] Defining a Map for Data - SOLVED

2011-10-19 Thread Justin J. Novack

Again, thank you John, David, et. al.

My full solution is posted for reference.  Please feel free to include in
documentation.

/etc/sec/friendlynames.txt

GigabitEthernet1/37=TEST SERVER
GigabitEthernet3/39=IMPORTANT SERVER

/etc/sec/testing.sec
===
type=Single
desc=Load hashes at startup
ptype=SubStr
continue=TakeNext
pattern=SEC_STARTUP|SEC_RESTART
context=SEC_INTERNAL_EVENT
action=eval %a ( open(FILE, ") { chomp; my ($key, $val) = split /=/; $hash{"$key"} =
$val; })

#Aug  1 12:14:54 switchname 362351: %LINK-3-UPDOWN: Interface
GigabitEthernet1/37, changed state to down
type=Single
desc=Fire Event
ptype=RegExp
pattern=%LINK-3-UPDOWN: Interface ([\w\/]+), changed state to down
context= =($hash{"$1"})
action=eval %host ( return $hash{"$1"}; ); logonly  Uh-oh! Problem with
%host 

>From here, you can do what you want with %host as normal.

(P.S. - David, since a reload will reload the hashes, does that count as
completing the extra credit? Do contexts persist a  'kill $PID -HUP'?)
---
Justin J. Novack
Official Disturber of the Peace
--
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Ciosco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev___
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Re: [Simple-evcorr-users] Defining a Map for Data - SOLVED

Re: [Simple-evcorr-users] Defining a Map for Data - SOLVED

Re: [Simple-evcorr-users] Defining a Map for Data - SOLVED

3 matches

Site Navigation

Mail list logo

Footer information