James,
Thanks for trying to help me...I did what you said regarding send-event.pl
modifications and unfortunately didn't get the same output as yours...same
thing again, saying it's running but it doesn't.
Getting it to work with a remote host is not an option fir me right now, SEC
and the destination (opennms) are both located on the same host, so it should
be pretty straight forward to run send-event.pl from inside SEC and generate a
simple event...
Regarding what you mentioned about the action being just one long line, do you
think SEC fails to read the entire line as one and because of the "-" and the
whitespaces it thinks it might be two lines or something?
To test that, i put the action is a .sh file and named it honia.sh:
#!/bin/sh
# Shell command for sending events to OpenNMS via send-event.pl
#
./send-event.pl uei.mycompany.net/generic/collectd/inconsistentconfig -i
192.168.1.1
Then modified the action line:
action=shellcmd ./honia.sh
But it still doesn't work. I checked the permissions and everything looks
good...
Any help will be much appreciated!
honia
Subject: RE: [Simple-evcorr-users] SEC conf file and shellcmd??
Date: Wed, 11 Mar 2009 11:38:33 -0400
From: [email protected]
To: [email protected]
Hi Honia,
OK, I loaded up send-event.pl on my system.
Basically, this script take the parameters on the command line and
creates some XML tags. It then opens a socket connection to the
host you specify on the command line, sends the XML entries, and closes
the socket.
Since I don't have any other as a destination target, I made the following
changes
so I could run it locally:
# out jpb my $socket = IO::Socket::INET->new(PeerAddr => $HOST_TO, PeerPort =>
$PORT_TO, Proto => "tcp", Type => SOCK_STREAM)
# out jpb or die "Couldn't connect to $HOST_TO:$PORT_TO - $...@\n";
print "$event" if ($VERBOSE);
# one new line jpb
print "[[[$event]]]";
# out jpb print $socket $event;
# out jpb $socket->close();
These changes just comment out the socket connection and print the XML on
standard out.
I have the following config (careful of word wrap- the action line is just one
long line):
type=Single
ptype=RegExp
pattern=\[\d{4}(-\d\d){2}
(\d\d:){2}\d\d\].\s*Notification:\sseverity\s*=\s*([^,]*),\s*message\s=.\s*(\S+)\|(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\|(CONFIG)
desc=$0
action=shellcmd /opt/UBS/prod/test/jpb/send-event.pl
uei.mycompany.net/generic/collectd/inconsistentconfig -i 1.1.1.1
I ran it like this, and copied your input into file z.z:
r...@logmon:/opt/UBS/prod/test/jpb#perl ../../scripts/sec.pl -conf=t.conf
-input=z.z
Simple Event Correlator version 2.1.9
Reading configuration from t.conf
1 rules loaded from t.conf
Executing shell command '/opt/UBS/prod/test/jpb/send-event.pl
uei.mycompany.net/generic/collectd/inconsistentconfig -i 1.1.1.1'
Child 7952 created for command '/opt/UBS/prod/test/jpb/send-event.pl
uei.mycompany.net/generic/collectd/inconsistentconfig -i 1.1.1.1'
[[[<log>
<events>
<event >
<uei>uei.mycompany.net/generic/collectd/inconsistentconfig</uei>
<source>perl_send_event</source>
<time>Wednesday, March 11, 2009 4:16:33 PM GMT</time>
<host>logmon.soc.mtesta.eu</host>
<interface>1.1.1.1</interface>
</event>
</events>
</log>
]]]
I would say at this point, that sec is not the problem. You should see the
same output.
Also, I noticed that send-event.pl can send to a remote host. Undo the changes
to send-event.pl
we made above, and try it again, with a parameter for sending to a remote host.
While it's running, use wireshark or tcpdump or snoop to monitor the network
traffic. You should see the
above entry somewhere in that traffic.
I hope this helps,
Jim B.
From: Honia A [mailto:[email protected]]
Sent: Wed 3/11/2009 2:46 PM
To: SEC
Subject: Re: [Simple-evcorr-users] SEC conf file and shellcmd?
Hi Jim,
Thanks for your reply. I did everything you said and here are the results:
1) action=write - OKOKOKOK: $0 worked fine
2) I found out SEC skips all the lines if I don't use -notail...so I added
-notail to the ./sec.pl command now
3) Changed my.conf so that SEC execute t.pl and it worked just fine...
4) Checked send-event.pl permission and it was 0755 which is fine. I even
changed it to 0777 but still didn't work. I paste the code for send-event.pl at
the end of this email for your review...I didn't seem to find anything wrong
about it...may be it calls other files and the permssion of those files are not
set properly. May be you could take a look at it if possible :-)
I even moved the sen-event.pl file to the same directory as sec but it still
doesn't work. (got no errors or anything)
5) uei.mycompany.net/generic/collectd/inconsistentconfig is just a label and
not a path...so, it should be fine.
So at this point, we know that if if I run this command directly from the
terminal it works just fine:
[r...@servername sec-2.5.0]# ./send-event.pl
uei.mycompany.net/generic/collectd/inconsistentconfig -i 192.168.1.1
But if I have SEC run that as a shellcmd command it fails...
Please help me,
Thanks in advance,
Honia
Here's the send-event.pl code:
#!/usr/bin/perl
use strict;
use Getopt::Long;
use IO::Socket;
use POSIX qw(strftime);
use vars qw(
$VERSION
$DESCR
$HOSTNAME
$INTERFACE
$NODEID
$SERVICE
$SEVERITY
$SOURCE
$UEI
$UUID
$VERBOSE
$ZONE
$OPERINSTR
@PARMS
@SEVERITIES
$HOST_TO
$PORT_TO
);
$VERSION = '0.3';
$VERBOSE = 0;
$ZONE = 'GMT';
@SEVERITIES = ( undef, 'Indeterminate', 'Cleared', 'Normal', 'Warning',
'Minor', 'Major', 'Critical' );
my $help = 0;
my $version = 0;
my $result = GetOptions("help|h" => \$help,
"descr|d=s" => \$DESCR,
"interface|i=s" => \$INTERFACE,
"nodeid|n=i" => \$NODEID,
"parm|p=s" => \...@parms,
"service|s=s" => \$SERVICE,
"uuid|U=i" => \$UUID,
"version|V" => \$version,
"verbose|v" => \$VERBOSE,
"severity|x=i" => \$SEVERITY,
"operinstr|o=s" => \$OPERINSTR);
if (! $result) { print get_help(); exit; }
if ($version) { print "$0 version $VERSION\n"; exit; }
if ($help) { print get_help(); exit; }
# parm array is numerically referenced in OpenNMS' templates
@PARMS = reverse map { parse_parm($_) } @PARMS;
chomp (my $hostname = `hostname`);
my @addr = gethostbyname($hostname);
$SOURCE = 'perl_send_event';
$HOSTNAME = gethostbyaddr($addr[4], 2);
$UEI = $ARGV[0];
$HOST_TO = $ARGV[1];
$PORT_TO = 5817;
#### bounds-checking on various inputs
# UEI
if (defined $UEI) {
unless (grep(m#uei#, $UEI)) {
print "*** \"$UEI\" does not appear to be a valid UEI\n\n";
print get_help();
exit 1;
}
} else {
print get_banner(), "the UEI is a required field!\n";
print get_help();
exit 1;
}
if (defined $HOST_TO) {
my ($host, $port) = split(/:/, $HOST_TO);
if ($port =~ /^\d+$/ and $port > 0) {
$PORT_TO = $port;
}
if ($host ne "") {
$HOST_TO = $host;
}
} else {
$HOST_TO = 'localhost';
}
if (defined $SEVERITY) {
my $SEVERITY_OK = 0;
if ($SEVERITY !~ /^\d+$/) {
$SEVERITY = ucfirst(lc($SEVERITY));
for my $index (0..$#SEVERITIES) {
if ($SEVERITY eq $SEVERITIES[$index]) {
$SEVERITY_OK = 1;
last;
}
}
unless ($SEVERITY_OK) {
print "*** $SEVERITY does not appear to be a valid severity level\n\n";
print get_help();
exit 1;
}
} else {
if (defined $SEVERITIES[$SEVERITY]) {
$SEVERITY = $SEVERITIES[$SEVERITY];
} else {
print "*** $SEVERITY does not appear to be a valid severity level\n\n";
print get_help();
exit 1;
}
}
}
if (defined $INTERFACE) {
unless (4 == grep($_ <= 255, $INTERFACE =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/)) {
print "*** \"$INTERFACE\" does not appear to be a valid IP address\n\n";
print get_help();
exit 1;
}
}
if (defined $DESCR) {
($DESCR) = simple_parse($DESCR);
}
if (defined $SERVICE) {
($SERVICE) = simple_parse($SERVICE);
}
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime(time);
$year += 1900;
my $month = $mon;
$min = sprintf("%02d", $min);
$sec = sprintf("%02d", $sec);
my $ap = "AM";
$ap = "PM" if ($hour >= 12);
$hour = $hour % 12;
my @week = ('Sunday', 'Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday',
'Saturday');
my @month = ('January', 'February', 'March', 'April', 'May', 'June', 'July',
'August', 'September', 'October', 'November', 'December');
my $uuidattribute;
if (defined $UUID) {
$uuidattribute = "uuid=\"$UUID\"";
} else {
$uuidattribute = "";
}
my $event = <<END;
<log>
<events>
<event $uuidattribute>
<uei>$UEI</uei>
<source>$SOURCE</source>
END
$event .= " <nodeid>$NODEID</nodeid>\n" if (defined $NODEID);
$event .= <<END;
<time>$week[$wday], $month[$month] $mday, $year $hour:$min:$sec $ap
$ZONE</time>
<host>$HOSTNAME</host>
END
$event .= " <interface>$INTERFACE</interface>\n" if (defined $INTERFACE);
$event .= " <service>$SERVICE</service>\n" if (defined $SERVICE);
if (@PARMS) {
$event .= " <parms>\n";
for my $parm (@PARMS) {
$event .= <<END;
<parm>
<parmName><![CDATA[$parm->{'name'}]]></parmName>
<value type="string" encoding="text"><![CDATA[$parm->{'value'}]]></value>
</parm>
END
}
$event .= " </parms>\n";
}
$event .= " <descr>$DESCR</descr>\n" if (defined $DESCR);
$event .= " <severity>$SEVERITY</severity>\n" if (defined $SEVERITY);
$event .= " <operinstruct>$OPERINSTR</operinstruct>\n" if (defined
$OPERINSTR);
$event .= <<END;
</event>
</events>
</log>
END
print "- sending to $HOST_TO on port $PORT_TO...\n" if ($VERBOSE);
my $socket = IO::Socket::INET->new(PeerAddr => $HOST_TO, PeerPort => $PORT_TO,
Proto => "tcp", Type => SOCK_STREAM)
or die "Couldn't connect to $HOST_TO:$PORT_TO - $...@\n";
print "$event" if ($VERBOSE);
print $socket $event;
$socket->close();
sub parse_parm {
my $parm = shift;
my ($name, $value) = split(/\s+/, $parm, 2);
return ({ name => $name, value => $value });
}
sub get_banner {
return <<END;
Usage: $0 <UEI> [host] [options]
END
}
sub simple_parse {
for (@_) {
s#\&#\&#gs;
s#\<#\<#gs;
s#\>#\>#gs;
s#\'#\'#gs;
s#\"#\"#gs;
}
return @_;
}
sub get_help {
return (get_banner, <<END);
Options:
<UEI> the universal event identifier (URI)
[host[:port]] a hostname to send the event to (default: localhost)
--version, -V print version and exit successfully
--verbose, -v print the raw XML that's generated
--help, -h this help message
--timezone, -t the time zone you are in
--service, -s service name
--nodeid, -n node identifier (numeric)
--interface, -i IP address of the interface
--descr, -d a description for the event browser
--severity, -x the severity of the event (numeric or name)
1 = Indeterminate
2 = Cleared (unimplemented at this time)
3 = Normal
4 = Warning
5 = Minor
6 = Major
7 = Critical
--parm, -p an event parameter (ie:
--parm 'url http://www.google.com/')
--uuid, -U a UUID to pass with the event
Example: Force discovery of a node:
send-event.pl \\
--interface 172.16.1.1 \\
uei.opennms.org/internal/discovery/newSuspect
END
}
Windows Live™: Keep your life in sync. Check it out.
Note: The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message is
not the intended recipient, or an employee or agent responsible for delivering
this message to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Thank you. ThruPoint, Inc.
_________________________________________________________________
Express your personality in color! Preview and select themes for Hotmail®.
http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=TXT_MSGTX_WL_HM_express_032009#colortheme------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
