In message <20090123162557.3y36o9ziscosw...@frg.sysmacenter.de>,
Thomas Wollner writes:
>I receive a lot of syslogs from access-switches (link and line proto
>up/down) but I`m only interested on these messages coming from
>key-devices. For that I have created a facts file which holds the
>information which device is a "key" device.
>
>Now I want to perform a lookup from within the rule to decide the
>device is a key device or not. how can i do that with sec?
>
>The format of my fact file is for example:
>10.10.10.1|bigrouter1|keydevice
>10.10.1.1|smallswitch1|access
>
>Currently I`m using the following rules for link-up-down correlation:
># This rule deals with link down events
>#
>type=PairWithWindow
>ptype=RegExp
>pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%LINK-3-UPDOWN: Interface (\S+),
>changed state to down
>desc=(MINOR) $1 INTERFACE $2 DOWN and not up in one minute
>action=shellcmd /opt/sec/tools/send_nsca.sh $1 WARNING '%s'
>ptype2=RegExp
>pattern2=($1)\s+\d+:.*?%LINK-3-UPDOWN: Interface ($2), changed state to up
>desc2=(WARNING) %1 INTERFACE %2 BOUNCE
>action2=event %s
>window=60
>
># when the first bounce event is seen, create a reporting trigger
>#
>type=Single
>continue=TakeNext
>ptype=regexp
>pattern=(\S+) INTERFACE (\S+) BOUNCE
>context=!INTERFACE_BOUNCE_WAIT_$1
>desc=interface bounce summary event for router $1
>action=create INTERFACE_BOUNCE_WAIT_$1 10;shellcmd
>/opt/sec/tools/send_nsca.sh $1 INFO '%s'; delete INTERFACE_BOUNCE_$1
>
># accumulate all interface bounce events into a context
>#
>type=Single
>ptype=regexp
>pattern=(\S+) INTERFACE (\S+) BOUNCE
>desc=interface bounce for router $1 interface $2 detected
>action=add INTERFACE_BOUNCE_$1 %t: %s
In the rule:
>desc=(MINOR) $1 INTERFACE $2 DOWN and not up in one minute
I assume $1 is the hostname like: bigrouter, or smallswitch.
If so I would use your fact file to create a bunch of contexts on startup,
reload or softreload.
A rule like:
type = single
desc = input facts file
type = tvalue
pattern = TRUE
context = SEC_RESTART || SEC_SOFTRESTART || SEC_STARTUP
action=spawn sed -ne '/keydevice/s/^/fact:/p' factfile
type = single
desc = create context from facts file
type = pattern
pattern = ^fact:([0-9.]*]\|([^|]*)\|(.*)
action= create fact_$3_$1; create fact_$3_$2
to create contexts like:
fact_keydevice_bigrouter1
fact_keydevice_10.10.10.1
fact_access_smallswitch1
fact_access_10.10.1.1
then in your
>desc=(MINOR) $1 INTERFACE $2 DOWN and not up in one minute
rule add a context statement like:
context = fact_keydevice_$1
so that the rule only triggers if the device (stored in $1) is a key
device.
You still may need a mechanism for removing these contexts from memory
if you demote a keydevice, but something similar can be done, or you
can create a pipe in the filesystem that SEC monitors and takes
commands to add/remove contexts at runtime.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
