-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello John, hello Risto,
thank you both for your replies. I will check out the very helpful suggestions and report back which way I`ll go. thank you, best regards, Thomas Wollner John P. Rouillard wrote: > In message <20090123162557.3y36o9ziscosw...@frg.sysmacenter.de>, > Thomas Wollner writes: >> I receive a lot of syslogs from access-switches (link and line proto >> up/down) but I`m only interested on these messages coming from >> key-devices. For that I have created a facts file which holds the >> information which device is a "key" device. >> >> Now I want to perform a lookup from within the rule to decide the >> device is a key device or not. how can i do that with sec? >> >> The format of my fact file is for example: >> 10.10.10.1|bigrouter1|keydevice >> 10.10.1.1|smallswitch1|access >> >> Currently I`m using the following rules for link-up-down correlation: >> # This rule deals with link down events >> # >> type=PairWithWindow >> ptype=RegExp >> pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%LINK-3-UPDOWN: Interface (\S+), >> changed state to down >> desc=(MINOR) $1 INTERFACE $2 DOWN and not up in one minute >> action=shellcmd /opt/sec/tools/send_nsca.sh $1 WARNING '%s' >> ptype2=RegExp >> pattern2=($1)\s+\d+:.*?%LINK-3-UPDOWN: Interface ($2), changed state to up >> desc2=(WARNING) %1 INTERFACE %2 BOUNCE >> action2=event %s >> window=60 >> >> # when the first bounce event is seen, create a reporting trigger >> # >> type=Single >> continue=TakeNext >> ptype=regexp >> pattern=(\S+) INTERFACE (\S+) BOUNCE >> context=!INTERFACE_BOUNCE_WAIT_$1 >> desc=interface bounce summary event for router $1 >> action=create INTERFACE_BOUNCE_WAIT_$1 10;shellcmd >> /opt/sec/tools/send_nsca.sh $1 INFO '%s'; delete INTERFACE_BOUNCE_$1 >> >> # accumulate all interface bounce events into a context >> # >> type=Single >> ptype=regexp >> pattern=(\S+) INTERFACE (\S+) BOUNCE >> desc=interface bounce for router $1 interface $2 detected >> action=add INTERFACE_BOUNCE_$1 %t: %s > > > In the rule: > > >desc=(MINOR) $1 INTERFACE $2 DOWN and not up in one minute > > I assume $1 is the hostname like: bigrouter, or smallswitch. > > If so I would use your fact file to create a bunch of contexts on startup, > reload or softreload. > > A rule like: > > type = single > desc = input facts file > type = tvalue > pattern = TRUE > context = SEC_RESTART || SEC_SOFTRESTART || SEC_STARTUP > action=spawn sed -ne '/keydevice/s/^/fact:/p' factfile > > > type = single > desc = create context from facts file > type = pattern > pattern = ^fact:([0-9.]*]\|([^|]*)\|(.*) > action= create fact_$3_$1; create fact_$3_$2 > > to create contexts like: > > fact_keydevice_bigrouter1 > fact_keydevice_10.10.10.1 > fact_access_smallswitch1 > fact_access_10.10.1.1 > > then in your > > >desc=(MINOR) $1 INTERFACE $2 DOWN and not up in one minute > > rule add a context statement like: > > context = fact_keydevice_$1 > > so that the rule only triggers if the device (stored in $1) is a key > device. > > You still may need a mechanism for removing these contexts from memory > if you demote a keydevice, but something similar can be done, or you > can create a pipe in the filesystem that SEC monitors and takes > commands to add/remove contexts at runtime. > > -- > -- rouilj > John Rouillard > =========================================================================== > My employers don't acknowledge my existence much less my opinions. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJetoOTCCRT+dccOYRAmqjAKCAb63YkFMRTySpOe24y13aZUxz7QCg7JSk RjFnCEDQyfCb2N2tVbxsVAI= =wgqe -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
