Hi Honia,
I took a look at your setup and made the following changes for testing:
type=Single
ptype=RegExp
pattern=\[\d{4}(-\d\d){2}
(\d\d:){2}\d\d\].\s*Notification:\sseverity\s*=\s*([^,]*),\s*message\s=.\s*(\S+)\|(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\|(CONFIG)
desc=$0
action=write - OKOKOKOK: $0
Running sec with -input=- and pasting the text you have in your email below
works fine.
To me, the problem looks like it's something else. Here are some suggestions:
- Try running sec by hand with the rule modification above and watch for the
output. You should see something like:
Writing event 'OKOKOKOK: [2009-01-29 10:05:19] Notification: severity = OKAY,
message = servername|192.168.1.172|CONFIG' to file -
OKOKOKOK: [2009-01-29 10:05:19] Notification: severity = OKAY, message =
servername|192.168.1.172|CONFIG
- With your original configuration, try replacing your send-event.pl with a
different, very simple script- t.pl
#!/usr/bin/perl
print "Hello from perl script.\n";
exit 0;
You should see something like:
Executing shell command '/opt/prod/test/jpb/t.pl'
Child 7286 created for command '/opt/prod/test/jpb/t.pl'
Hello from perl script.
- Check the permissions of send-event.pl and all permissions of
input, output, shell command file send-event.pl and all files used by that
script.
- Finally, try fully qualifying all pathnames. If this is a filename:
uei.mycompany.net/generic/collectd/inconsistentconfig
Try fully qualifying the filename with it's full pathname.
/mydirectory/uei.mycompany.net/generic/collectd/inconsistentconfig
Hope this helps,
Jim B.
________________________________
From: Honia A [mailto:[email protected]]
Sent: Tue 3/10/2009 6:18 PM
To: SEC
Subject: Re: [Simple-evcorr-users] SEC conf file and shellcmd?
Risto,
Got it thanks. I chose the second option and just typed the command inside the
my.conf right in front of the action. But I just ran into a new problem.
Although my regexp pattern is correct, but SEC fails to run properly. I don't
get any errors or anything and looks like it's running but when I check the log
file of the destination, it shows nothing has been sent out from SEC...
Here are all the work I've done so far:
my.conf
type=Single
ptype=RegExp
pattern=\[\d{4}(-\d\d){2}
(\d\d:){2}\d\d\].\s*Notification:\sseverity\s*=\s*([^,]*),\s*message\s=.\s*(\S+)\|(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\|(CONFIG)
desc=$0
action=shellcmd /opt/opennms/bin/send-event.pl
uei.mycompany.net/generic/collectd/inconsistentconfig -i 192.168.1.1
Input file
[2008-09-29 20:28:58] uc_update: Value too old: name =
server/netlink-eth0/if_tx_errors-window; value time = 1222708104; last cache
update = 1222708104;
[2008-09-29 20:28:58] uc_update: Value too old: name =
server/netlink-sit0/if_octets; value time = 1222708104; last cache update =
1222708104;
[2008-09-29 20:28:58] uc_update: Value too old: name =
server/netlink-sit0/if_packets; value time = 1222708104; last cache update =
1222708104;
[2008-09-29 20:58:59] uc_update: Value too old: name =
server/processes/state-s; value time = 1222709904; last cache update =
1222709904;
[2008-09-29 20:58:59] uc_update: Value too old: name =
server/processes/state-z; value time = 1222709904; last cache update =
1222709904;
[2009-01-29 06:50:10] Notification: severity = OKAY, message =
servername|192.168.1.179|NOCONFIG
[2009-01-29 10:05:19] Notification: severity = OKAY, message =
servername|192.168.1.172|CONFIG
The command I am running
./sec.pl -conf=my.conf -input=/opt/collectd/var/log/test.log
Then I get the following message back (which is just saying sec is working
fine):
SEC (Simple Event Correlator) 2.5.0
Reading configuration from my.conf
1 rules loaded from my.conf
Stdin connected to terminal, handler for SIGINT not installed
Before I send this email to SEC mailing list, I double checked everything on
the destination software which is OpenNMS and even manually sent the event to
the system by running this command:
/opt/opennms/bin/send-event.pl
uei.mycompany.net/generic/collectd/inconsistentconfig -i 192.168.1.1
Then checked the OpenNMS event log files and the event was listed there with no
problem, so I am pretty sure something is not configured properly on the SEC
side. Therefore I ran a couple of diagnosis tests:
1- Had SEC read the input from the terminal: ./sec.pl -conf=my.conf -input=-
Then typed this input:
[2009-01-29 10:05:19] Notification: severity = OKAY, message =
servername|192.168.1.179|CONFIG
It printed the same line as an output so if I'm not mistaken, this proves the
regexp pattern is correct.
2- Thought may be for some reasons SEC can't find the input file so I moved the
input file from /opt/collectd/var/log directory to the same directory as SEC
and tried running it again:
./sec.pl -conf=my.conf -input=test.log
Still no dice...
I can't seem to find the problem. As I mentioned earlier, I am sure the
send-event.pl command is working...
Please help me figuring this out,
Thanks in advance,
~honia
________________________________
Windows Live(tm) Groups: Create an online spot for your favorite groups to
meet. Check it out.
<http://windowslive.com/online/groups?ocid=TXT_TAGLM_WL_groups_032009>
------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
