Hi Rouillard:
Thanks, I've reseached the docs you gave to me in the mail and
they are quite helpful.
I tested $host_in_maintain successfully with cron. Everyone who
use SEC in their real environment should knows this feature. It's very
important.
However I encounter a problem when I was using rules in
01control.sr file.(download form your website)
QUOTA Begin:
type=single
continue=dontcont
ptype=tvalue
pattern=TRUE
desc=report event processed.
action=create EVENT_PROCESSED
QUOTA End:
"continue=dontcont" means do not contiune to execute if the patter is
true. howerver this rule is always true. So I think the value of
"continue" should be "takenext".
Thanks again.
Rgds
LY
2008/10/5 John P. Rouillard <[EMAIL PROTECTED]>:
>
> Hello:
>
> In message <[EMAIL PROTECTED]>,
> "=?GB2312?B?wfXTwg==?=" writes:
>
>> At the beginning, becase of lack of sec rules, we received huge
>>number of tickets. So we changed our way. Everyday we review the event
>>log and collect the events which are important to us and should be
>>handled manually. then we wrote rules for these events. It seems OK
>>now
>
> Yup. I never recommend sending all events to a ticketing system until
> you have a working set of rules. I also have a catchall rule at the
> end that sends email of unhandled events to a few humans to analyze,
> and if needed forward to a ticketing system.
>
>> However we did encouter some problems which are not resolved :
>> 1. There are always some servers which are under maintenance in our
>>datacenter. So in the maintenance windows, server guys do not want to
>>receive the tickets. at first , we change our rule with calendar and
>>context, then restart SEC to meet this requirement. later we found
>>this is job seems impossible because the hosts under maintenance are
>>always changed day by day and the maintenace windows could be random
>>and overlap. for examples, A,B under maintain during 00:00am-2:00:am,
>>C,D under maintian during 01:00am-3:00am. so I shoud write about 140
>>maintain context for each servers.
>
> Use contexts that are manually controlled and a rule set that checks
> the source of each event. If the source host for that event is in
> maintainance (as determined by a context called <hostname>_in_maint)
> for example, just consumes the event and don't pass it to any other
> rules.
>
> To dynamically configure contexts under the control of an outside
> agent (windows scheduler, cron etc), see:
>
> http://www.cs.umb.edu/~rouilj/sec/rulesets/Readme.txt
>
> for the mechanism to create a control channel/input and
>
> http://www.cs.umb.edu/~rouilj/sec/rulesets/01control.sr
>
> for rules that ceate/delete/obsolete and add to contexts based on
> events appended to the external control file.
>
>> 2. how to manage the logpp's and sec rules. we've got more and more
>>rules over the time and would like to put them into some catagory,
>>easy to find and etc.
>
>
> Sounds like you need to read:
>
> http://www.cs.umb.edu/~rouilj/sec/sec_paper_full.pdf
>
> along with reviewing the info linked from:
>
> http://www.cs.umb.edu/~rouilj/sec
>
>> 3. the next plan to add syslog of our cisco deviced into this
>>system, As I found, SEC will correlate the event rule by rule until
>>matched on rules. That means a cisco event would be passed by all
>>windows rulIs before it was correclated. think it would lead
>>performance problem when rules for cisco have been added. My simple
>>solution is to run some separate process to handle different events.
>
> The paper referenced above discusses how to handle this and the sample
> rule sets linked from http://www.cs.umb.edu/~rouilj/sec implement a
> framework to limit ruleset application to only a subset of all events.
>
> --
> -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.
>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
