Honia, are you running SEC in the daemon mode (with the -detach option)? If so, all scripts in your rule files *must* be specified with full path names, since in the daemon mode SEC changes its working directory to /. Also, have you activated logging for SEC with the -log option? If so, what kind of messages are appearing in the SEC log file about the script execution? br, risto
> James, > > > > Thanks for trying to help me...I did what you said > regarding send-event.pl modifications and unfortunately > didn't get the same output as yours...same thing again, > saying it's running but it doesn't. > > > > Getting it to work with a remote host is not an option fir > me right now, SEC and the destination (opennms) are both > located on the same host, so it should be pretty straight > forward to run send-event.pl from inside SEC and generate a > simple event... > > > > Regarding what you mentioned about the action being just > one long line, do you think SEC fails to read the entire > line as one and because of the "-" and the > whitespaces it thinks it might be two lines or something? > > To test that, i put the action is a .sh file and named it > honia.sh: > > > > #!/bin/sh > > # Shell command for sending events to OpenNMS via > send-event.pl > > # > > ./send-event.pl > uei.mycompany.net/generic/collectd/inconsistentconfig -i > 192.168.1.1 > > > > Then modified the action line: > > action=shellcmd ./honia.sh > > > > But it still doesn't work. I checked the permissions > and everything looks good... > > > Any help will be much appreciated! > > > > honia > > > > > > > > > > > > > > Subject: RE: [Simple-evcorr-users] SEC conf file and > shellcmd?? > Date: Wed, 11 Mar 2009 11:38:33 -0400 > From: [email protected] > To: [email protected] > > > > > > Hi Honia, > > OK, I loaded up send-event.pl on my system. > > Basically, this script take the parameters on the command > line and > creates some XML tags. It then opens a socket connection > to the > host you specify on the command line, sends the XML > entries, and closes > the socket. > > Since I don't have any other as a destination target, I > made the following changes > so I could run it locally: > > > # out jpb my $socket = IO::Socket::INET->new(PeerAddr > => $HOST_TO, PeerPort => $PORT_TO, Proto => > "tcp", Type => SOCK_STREAM) > # out jpb or die "Couldn't connect to > $HOST_TO:$PORT_TO - $...@\n"; > print "$event" if ($VERBOSE); > # one new line jpb > print "[[[$event]]]"; > # out jpb print $socket $event; > # out jpb $socket->close(); > > These changes just comment out the socket connection and > print the XML on standard out. > > I have the following config (careful of word wrap- the > action line is just one long line): > > type=Single > ptype=RegExp > pattern=\[\d{4}(-\d\d){2} > (\d\d:){2}\d\d\].\s*Notification:\sseverity\s*=\s*([^,]*),\s*message\s=.\s*(\S+)\|(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\|(CONFIG) > desc=$0 > action=shellcmd /opt/UBS/prod/test/jpb/send-event.pl > uei.mycompany.net/generic/collectd/inconsistentconfig -i > 1.1.1.1 > > > I ran it like this, and copied your input into file z.z: > > r...@logmon:/opt/UBS/prod/test/jpb#perl > ../../scripts/sec.pl -conf=t.conf -input=z.z > Simple Event Correlator version 2.1.9 > Reading configuration from t.conf > 1 rules loaded from t.conf > Executing shell command > '/opt/UBS/prod/test/jpb/send-event.pl > uei.mycompany.net/generic/collectd/inconsistentconfig -i > 1.1.1.1' > Child 7952 created for command > '/opt/UBS/prod/test/jpb/send-event.pl > uei.mycompany.net/generic/collectd/inconsistentconfig -i > 1.1.1.1' > [[[<log> > <events> > <event > > > <uei>uei.mycompany.net/generic/collectd/inconsistentconfig</uei> > <source>perl_send_event</source> > <time>Wednesday, March 11, 2009 4:16:33 PM > GMT</time> > <host>logmon.soc.mtesta.eu</host> > <interface>1.1.1.1</interface> > </event> > </events> > </log> > ]]] > > > I would say at this point, that sec is not the problem. > You should see the same output. > > Also, I noticed that send-event.pl can send to a remote > host. Undo the changes to send-event.pl > we made above, and try it again, with a parameter for > sending to a remote host. > While it's running, use wireshark or tcpdump or snoop > to monitor the network traffic. You should see the > above entry somewhere in that traffic. > > I hope this helps, > Jim B. > > > > > > > > From: Honia A [mailto:[email protected]] > Sent: Wed 3/11/2009 2:46 PM > To: SEC > Subject: Re: [Simple-evcorr-users] SEC conf file and > shellcmd? > > > > Hi Jim, > > Thanks for your reply. I did everything you said and here > are the results: > > 1) action=write - OKOKOKOK: $0 worked fine > > 2) I found out SEC skips all the lines if I don't use > -notail...so I added -notail to the ./sec.pl command now > > 3) Changed my.conf so that SEC execute t.pl and it worked > just fine... > > 4) Checked send-event.pl permission and it was 0755 which > is fine. I even changed it to 0777 but still didn't > work. I paste the code for send-event.pl at the end of this > email for your review...I didn't seem to find anything > wrong about it...may be it calls other files and the > permssion of those files are not set properly. May be you > could take a look at it if possible :-) > > I even moved the sen-event.pl file to the same directory as > sec but it still doesn't work. (got no errors or > anything) > > 5) uei.mycompany.net/generic/collectd/inconsistentconfig > is just a label and not a path...so, it should be fine. > > > So at this point, we know that if if I run this command > directly from the terminal it works just fine: > > [r...@servername sec-2.5.0]# ./send-event.pl > uei.mycompany.net/generic/collectd/inconsistentconfig -i > 192.168.1.1 > > But if I have SEC run that as a shellcmd command it > fails... > > Please help me, > > Thanks in advance, > Honia > > > Here's the send-event.pl code: > > #!/usr/bin/perl > use strict; > use Getopt::Long; > use IO::Socket; > use POSIX qw(strftime); > use vars qw( > $VERSION > $DESCR > $HOSTNAME > $INTERFACE > $NODEID > $SERVICE > $SEVERITY > $SOURCE > $UEI > $UUID > $VERBOSE > $ZONE > $OPERINSTR > @PARMS > @SEVERITIES > $HOST_TO > $PORT_TO > ); > $VERSION = '0.3'; > $VERBOSE = 0; > $ZONE = 'GMT'; > @SEVERITIES = ( undef, 'Indeterminate', > 'Cleared', 'Normal', 'Warning', > 'Minor', 'Major', 'Critical' ); > > my $help = 0; > my $version = 0; > my $result = GetOptions("help|h" => > \$help, > "descr|d=s" => > \$DESCR, > "interface|i=s" => > \$INTERFACE, > "nodeid|n=i" => > \$NODEID, > "parm|p=s" => > \...@parms, > "service|s=s" => > \$SERVICE, > "uuid|U=i" => > \$UUID, > "version|V" => > \$version, > "verbose|v" => > \$VERBOSE, > "severity|x=i" => > \$SEVERITY, > "operinstr|o=s" => > \$OPERINSTR); > if (! $result) { print get_help(); exit; } > if ($version) { print "$0 version > $VERSION\n"; exit; } > if ($help) { print get_help(); exit; } > # parm array is numerically referenced in OpenNMS' > templates > @PARMS = reverse map { parse_parm($_) } @PARMS; > chomp (my $hostname = `hostname`); > my @addr = gethostbyname($hostname); > $SOURCE = 'perl_send_event'; > $HOSTNAME = gethostbyaddr($addr[4], 2); > $UEI = $ARGV[0]; > $HOST_TO = $ARGV[1]; > $PORT_TO = 5817; > #### bounds-checking on various inputs > # UEI > if (defined $UEI) { > unless (grep(m#uei#, $UEI)) { > print "*** \"$UEI\" does not > appear to be a valid UEI\n\n"; > print get_help(); > exit 1; > } > } else { > print get_banner(), "the UEI is a required > field!\n"; > print get_help(); > exit 1; > } > if (defined $HOST_TO) { > my ($host, $port) = split(/:/, $HOST_TO); > if ($port =~ /^\d+$/ and $port > 0) { > $PORT_TO = $port; > } > if ($host ne "") { > $HOST_TO = $host; > } > } else { > $HOST_TO = 'localhost'; > } > if (defined $SEVERITY) { > my $SEVERITY_OK = 0; > if ($SEVERITY !~ /^\d+$/) { > $SEVERITY = ucfirst(lc($SEVERITY)); > for my $index (0..$#SEVERITIES) { > if ($SEVERITY eq $SEVERITIES[$index]) { > $SEVERITY_OK = 1; > last; > } > } > unless ($SEVERITY_OK) { > print "*** $SEVERITY does not appear to be a valid > severity level\n\n"; > print get_help(); > exit 1; > } > } else { > if (defined $SEVERITIES[$SEVERITY]) { > $SEVERITY = $SEVERITIES[$SEVERITY]; > } else { > print "*** $SEVERITY does not appear to be a valid > severity level\n\n"; > print get_help(); > exit 1; > } > } > } > if (defined $INTERFACE) { > unless (4 == grep($_ <= 255, $INTERFACE =~ > /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/)) > { > print "*** \"$INTERFACE\" does not > appear to be a valid IP address\n\n"; > print get_help(); > exit 1; > } > } > if (defined $DESCR) { > ($DESCR) = simple_parse($DESCR); > } > if (defined $SERVICE) { > ($SERVICE) = simple_parse($SERVICE); > } > my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = > gmtime(time); > $year += 1900; > my $month = $mon; > $min = sprintf("%02d", $min); > $sec = sprintf("%02d", $sec); > my $ap = "AM"; > $ap = "PM" if ($hour >= 12); > $hour = $hour % 12; > my @week = ('Sunday', 'Monday', > 'Tuesday', 'Wednesday', 'Thursday', > 'Friday', 'Saturday'); > my @month = ('January', 'February', > 'March', 'April', 'May', > 'June', 'July', 'August', > 'September', 'October', 'November', > 'December'); > my $uuidattribute; > if (defined $UUID) { > $uuidattribute = > "uuid=\"$UUID\""; > } else { > $uuidattribute = ""; > } > > my $event = <<END; > <log> > <events> > <event $uuidattribute> > <uei>$UEI</uei> > <source>$SOURCE</source> > END > $event .= " > <nodeid>$NODEID</nodeid>\n" if > (defined $NODEID); > $event .= <<END; > <time>$week[$wday], $month[$month] $mday, $year > $hour:$min:$sec $ap $ZONE</time> > <host>$HOSTNAME</host> > END > $event .= " > <interface>$INTERFACE</interface>\n" if > (defined $INTERFACE); > $event .= " > <service>$SERVICE</service>\n" if > (defined $SERVICE); > if (@PARMS) { > $event .= " <parms>\n"; > for my $parm (@PARMS) { > $event .= <<END; > <parm> > > <parmName><![CDATA[$parm->{'name'}]]></parmName> > <value type="string" > encoding="text"><![CDATA[$parm->{'value'}]]></value> > </parm> > END > } > $event .= " </parms>\n"; > } > $event .= " > <descr>$DESCR</descr>\n" if > (defined $DESCR); > $event .= " > <severity>$SEVERITY</severity>\n" if > (defined $SEVERITY); > $event .= " > <operinstruct>$OPERINSTR</operinstruct>\n" > if (defined $OPERINSTR); > $event .= <<END; > </event> > </events> > </log> > END > print "- sending to $HOST_TO on port > $PORT_TO...\n" if ($VERBOSE); > my $socket = IO::Socket::INET->new(PeerAddr => > $HOST_TO, PeerPort => $PORT_TO, Proto => > "tcp", Type => SOCK_STREAM) > or die "Couldn't connect to $HOST_TO:$PORT_TO - > $...@\n"; > print "$event" if ($VERBOSE); > print $socket $event; > $socket->close(); > sub parse_parm { > my $parm = shift; > my ($name, $value) = split(/\s+/, $parm, 2); > return ({ name => $name, value => $value }); > } > sub get_banner { > return <<END; > Usage: $0 <UEI> [host] [options] > END > } > sub simple_parse { > for (@_) { > s#\&#\&#gs; > s#\<#\<#gs; > s#\>#\>#gs; > s#\'#\'#gs; > s#\"#\"#gs; > } > return @_; > } > sub get_help { > return (get_banner, <<END); > Options: > <UEI> the universal event > identifier (URI) > [host[:port]] a hostname to send the event to > (default: localhost) > --version, -V print version and exit > successfully > --verbose, -v print the raw XML that's > generated > --help, -h this help message > --timezone, -t the time zone you are in > --service, -s service name > --nodeid, -n node identifier (numeric) > --interface, -i IP address of the interface > --descr, -d a description for the event > browser > --severity, -x the severity of the event > (numeric or name) > 1 = Indeterminate > 2 = Cleared (unimplemented at > this time) > 3 = Normal > 4 = Warning > 5 = Minor > 6 = Major > 7 = Critical > --parm, -p an event parameter (ie: > --parm 'url > http://www.google.com/') > --uuid, -U a UUID to pass with the event > Example: Force discovery of a node: > send-event.pl \\ > --interface 172.16.1.1 \\ > > uei.opennms.org/internal/discovery/newSuspect > END > } > > > > > > > > > Windows Live™: Keep your life in sync. Check it out. > > > > Note: The information contained in this message may be > privileged and confidential and protected from disclosure. > If the reader of this message is not the intended recipient, > or an employee or agent responsible for delivering this > message to the intended recipient, you are hereby notified > that any dissemination, distribution or copying of this > communication is strictly prohibited. If you have received > this communication in error, please notify us immediately by > replying to the message and deleting it from your computer. > Thank you. ThruPoint, Inc. > > > _________________________________________________________________ > Express your personality in color! Preview and select > themes for Hotmail®. > http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=TXT_MSGTX_WL_HM_express_032009#colortheme------------------------------------------------------------------------------ > Apps built with the Adobe(R) Flex(R) framework and Flex > Builder(TM) are > powering Web 2.0 with engaging, cross-platform > capabilities. Quickly and > easily build your RIAs with Flex Builder, the > Eclipse(TM)based development > software that enables intelligent coding and step-through > debugging. > Download the free 60 day trial. > http://p.sf.net/sfu/www-adobe-com_______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
