I have a config that watches a pile of network devices. Among other things,
it ignores mass quantities of message types that we don't care about, and
has a few that alert immediately because they are especially important.
Everything else which might be important gets lumped together by IOS message
type and reported as a context after 30 seconds of gathering these events:
# match on the first and create a context. alert after 30 seconds
type=Single
ptype=RegExp
pattern=^.{14,15}\s+(\S+)\s+.*%(\S+):\s+.*
desc=$2 IOS message from $1
context=!IOS_$1_$2 && !IGNORE_IOS_$1_$2
action=create IOS_$1_$2 30 (report IOS_$1_$2 /bin/mail -s '[Network SEC] $2
IOS messsage\(s\) from $1' jhart);\
add IOS_$1_$2 $0
# pile up all the messages so long as the context has already been created,
we aren't supposed
# to be ignoring it, and then pass the message on to the next rule (counter)
type=Single
ptype=RegExp
continue=TakeNext
pattern=^.{14,15}\s+(\S+)\s+.*%(\S+):\s+.*
context=IOS_$1_$2 && !IGNORE_IOS_$1_$2
desc=$2 IOS message from $1
action=add IOS_$1_$2 $0
-jon
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
