Risto,
No, I am running SEC in regular mode (-nodetach) and yes, i'm using SEC log as
well which just shows the rule was found and the send-event.pl command was
executed successfully... Here's an update:
I replaced the pattern in my.conf with a much more simpler one:
my.conf
# Example my.conf
# Recognize a pattern and execute send-event.pl
#
type=Single
ptype=RegExp
pattern=foobar
desc=$0
action=shellcmd ./honia.sh
honia.sh
#!/bin/sh
# Shell command for sending events to OpenNMS via send-event.pl
#
./send-event.pl uei.mycompany.net/generic/collectd/inconsistentconfig -i
192.168.1.1
Now, when I run SEC, if I leave the input as input=- and type the word foobar
at the runtime, it workes and the send-event would be called and will send the
event to ONMS successfully. (See output 1)
But if I save the word foobar into a file and name it monitor.me or something
else, SEC will not match anything and therefore send-event will not be called
(See output 1). Here are the outputs I get for each cases:
Output 1:
[r...@servername sec-2.5.0]# ./sec.pl -conf=my.conf -input=-
SEC (Simple Event Correlator) 2.5.0
Reading configuration from my.conf
1 rules loaded from my.conf
Stdin connected to terminal, handler for SIGINT not installed
foobar
Executing shell command './honia.sh'
Child 9126 created for command './honia.sh'
Output 2:
[r...@servername sec-2.5.0]# ./sec.pl -conf=my.conf -input=monitor.me
SEC (Simple Event Correlator) 2.5.0
Reading configuration from my.conf
1 rules loaded from my.conf
Stdin connected to terminal, handler for SIGINT not installed
monitor.me
foobar
At this point my questions are:
1) Why SEC can read the input from terminal and not from the input file?
2) What would be the simplest pattern that matches only the log lines with the
word CONFIG in them and doesn't match the ones with the word NOCONFIG?
Thanks in advance,
Honia
> Date: Wed, 11 Mar 2009 12:25:12 -0700
> From: [email protected]
> Subject: Re: [Simple-evcorr-users] SEC conf file and shellcmd??
> To: [email protected]; [email protected];
> [email protected]
>
>
> Honia,
> are you running SEC in the daemon mode (with the -detach option)? If so, all
> scripts in your rule files *must* be specified with full path names, since in
> the daemon mode SEC changes its working directory to /.
> Also, have you activated logging for SEC with the -log option? If so, what
> kind of messages are appearing in the SEC log file about the script execution?
> br,
> risto
>
> > James,
> >
> >
> >
> > Thanks for trying to help me...I did what you said
> > regarding send-event.pl modifications and unfortunately
> > didn't get the same output as yours...same thing again,
> > saying it's running but it doesn't.
> >
> >
> >
> > Getting it to work with a remote host is not an option fir
> > me right now, SEC and the destination (opennms) are both
> > located on the same host, so it should be pretty straight
> > forward to run send-event.pl from inside SEC and generate a
> > simple event...
> >
> >
> >
> > Regarding what you mentioned about the action being just
> > one long line, do you think SEC fails to read the entire
> > line as one and because of the "-" and the
> > whitespaces it thinks it might be two lines or something?
> >
> > To test that, i put the action is a .sh file and named it
> > honia.sh:
> >
> >
> >
> > #!/bin/sh
> >
> > # Shell command for sending events to OpenNMS via
> > send-event.pl
> >
> > #
> >
> > ./send-event.pl
> > uei.mycompany.net/generic/collectd/inconsistentconfig -i
> > 192.168.1.1
> >
> >
> >
> > Then modified the action line:
> >
> > action=shellcmd ./honia.sh
> >
> >
> >
> > But it still doesn't work. I checked the permissions
> > and everything looks good...
> >
> >
> > Any help will be much appreciated!
> >
> >
> >
> > honia
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Subject: RE: [Simple-evcorr-users] SEC conf file and
> > shellcmd??
> > Date: Wed, 11 Mar 2009 11:38:33 -0400
> > From: [email protected]
> > To: [email protected]
> >
> >
> >
> >
> >
> > Hi Honia,
> >
> > OK, I loaded up send-event.pl on my system.
> >
> > Basically, this script take the parameters on the command
> > line and
> > creates some XML tags. It then opens a socket connection
> > to the
> > host you specify on the command line, sends the XML
> > entries, and closes
> > the socket.
> >
> > Since I don't have any other as a destination target, I
> > made the following changes
> > so I could run it locally:
> >
> >
> > # out jpb my $socket = IO::Socket::INET->new(PeerAddr
> > => $HOST_TO, PeerPort => $PORT_TO, Proto =>
> > "tcp", Type => SOCK_STREAM)
> > # out jpb or die "Couldn't connect to
> > $HOST_TO:$PORT_TO - $...@\n";
> > print "$event" if ($VERBOSE);
> > # one new line jpb
> > print "[[[$event]]]";
> > # out jpb print $socket $event;
> > # out jpb $socket->close();
> >
> > These changes just comment out the socket connection and
> > print the XML on standard out.
> >
> > I have the following config (careful of word wrap- the
> > action line is just one long line):
> >
> > type=Single
> > ptype=RegExp
> > pattern=\[\d{4}(-\d\d){2}
> > (\d\d:){2}\d\d\].\s*Notification:\sseverity\s*=\s*([^,]*),\s*message\s=.\s*(\S+)\|(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\|(CONFIG)
> > desc=$0
> > action=shellcmd /opt/UBS/prod/test/jpb/send-event.pl
> > uei.mycompany.net/generic/collectd/inconsistentconfig -i
> > 1.1.1.1
> >
> >
> > I ran it like this, and copied your input into file z.z:
> >
> > r...@logmon:/opt/UBS/prod/test/jpb#perl
> > ../../scripts/sec.pl -conf=t.conf -input=z.z
> > Simple Event Correlator version 2.1.9
> > Reading configuration from t.conf
> > 1 rules loaded from t.conf
> > Executing shell command
> > '/opt/UBS/prod/test/jpb/send-event.pl
> > uei.mycompany.net/generic/collectd/inconsistentconfig -i
> > 1.1.1.1'
> > Child 7952 created for command
> > '/opt/UBS/prod/test/jpb/send-event.pl
> > uei.mycompany.net/generic/collectd/inconsistentconfig -i
> > 1.1.1.1'
> > [[[<log>
> > <events>
> > <event >
> >
> > <uei>uei.mycompany.net/generic/collectd/inconsistentconfig</uei>
> > <source>perl_send_event</source>
> > <time>Wednesday, March 11, 2009 4:16:33 PM
> > GMT</time>
> > <host>logmon.soc.mtesta.eu</host>
> > <interface>1.1.1.1</interface>
> > </event>
> > </events>
> > </log>
> > ]]]
> >
> >
> > I would say at this point, that sec is not the problem.
> > You should see the same output.
> >
> > Also, I noticed that send-event.pl can send to a remote
> > host. Undo the changes to send-event.pl
> > we made above, and try it again, with a parameter for
> > sending to a remote host.
> > While it's running, use wireshark or tcpdump or snoop
> > to monitor the network traffic. You should see the
> > above entry somewhere in that traffic.
> >
> > I hope this helps,
> > Jim B.
> >
> >
> >
> >
> >
> >
> >
> > From: Honia A [mailto:[email protected]]
> > Sent: Wed 3/11/2009 2:46 PM
> > To: SEC
> > Subject: Re: [Simple-evcorr-users] SEC conf file and
> > shellcmd?
> >
> >
> >
> > Hi Jim,
> >
> > Thanks for your reply. I did everything you said and here
> > are the results:
> >
> > 1) action=write - OKOKOKOK: $0 worked fine
> >
> > 2) I found out SEC skips all the lines if I don't use
> > -notail...so I added -notail to the ./sec.pl command now
> >
> > 3) Changed my.conf so that SEC execute t.pl and it worked
> > just fine...
> >
> > 4) Checked send-event.pl permission and it was 0755 which
> > is fine. I even changed it to 0777 but still didn't
> > work. I paste the code for send-event.pl at the end of this
> > email for your review...I didn't seem to find anything
> > wrong about it...may be it calls other files and the
> > permssion of those files are not set properly. May be you
> > could take a look at it if possible :-)
> >
> > I even moved the sen-event.pl file to the same directory as
> > sec but it still doesn't work. (got no errors or
> > anything)
> >
> > 5) uei.mycompany.net/generic/collectd/inconsistentconfig
> > is just a label and not a path...so, it should be fine.
> >
> >
> > So at this point, we know that if if I run this command
> > directly from the terminal it works just fine:
> >
> > [r...@servername sec-2.5.0]# ./send-event.pl
> > uei.mycompany.net/generic/collectd/inconsistentconfig -i
> > 192.168.1.1
> >
> > But if I have SEC run that as a shellcmd command it
> > fails...
> >
> > Please help me,
> >
> > Thanks in advance,
> > Honia
> >
> >
> > Here's the send-event.pl code:
> >
> > #!/usr/bin/perl
> > use strict;
> > use Getopt::Long;
> > use IO::Socket;
> > use POSIX qw(strftime);
> > use vars qw(
> > $VERSION
> > $DESCR
> > $HOSTNAME
> > $INTERFACE
> > $NODEID
> > $SERVICE
> > $SEVERITY
> > $SOURCE
> > $UEI
> > $UUID
> > $VERBOSE
> > $ZONE
> > $OPERINSTR
> > @PARMS
> > @SEVERITIES
> > $HOST_TO
> > $PORT_TO
> > );
> > $VERSION = '0.3';
> > $VERBOSE = 0;
> > $ZONE = 'GMT';
> > @SEVERITIES = ( undef, 'Indeterminate',
> > 'Cleared', 'Normal', 'Warning',
> > 'Minor', 'Major', 'Critical' );
> >
> > my $help = 0;
> > my $version = 0;
> > my $result = GetOptions("help|h" =>
> > \$help,
> > "descr|d=s" =>
> > \$DESCR,
> > "interface|i=s" =>
> > \$INTERFACE,
> > "nodeid|n=i" =>
> > \$NODEID,
> > "parm|p=s" =>
> > \...@parms,
> > "service|s=s" =>
> > \$SERVICE,
> > "uuid|U=i" =>
> > \$UUID,
> > "version|V" =>
> > \$version,
> > "verbose|v" =>
> > \$VERBOSE,
> > "severity|x=i" =>
> > \$SEVERITY,
> > "operinstr|o=s" =>
> > \$OPERINSTR);
> > if (! $result) { print get_help(); exit; }
> > if ($version) { print "$0 version
> > $VERSION\n"; exit; }
> > if ($help) { print get_help(); exit; }
> > # parm array is numerically referenced in OpenNMS'
> > templates
> > @PARMS = reverse map { parse_parm($_) } @PARMS;
> > chomp (my $hostname = `hostname`);
> > my @addr = gethostbyname($hostname);
> > $SOURCE = 'perl_send_event';
> > $HOSTNAME = gethostbyaddr($addr[4], 2);
> > $UEI = $ARGV[0];
> > $HOST_TO = $ARGV[1];
> > $PORT_TO = 5817;
> > #### bounds-checking on various inputs
> > # UEI
> > if (defined $UEI) {
> > unless (grep(m#uei#, $UEI)) {
> > print "*** \"$UEI\" does not
> > appear to be a valid UEI\n\n";
> > print get_help();
> > exit 1;
> > }
> > } else {
> > print get_banner(), "the UEI is a required
> > field!\n";
> > print get_help();
> > exit 1;
> > }
> > if (defined $HOST_TO) {
> > my ($host, $port) = split(/:/, $HOST_TO);
> > if ($port =~ /^\d+$/ and $port > 0) {
> > $PORT_TO = $port;
> > }
> > if ($host ne "") {
> > $HOST_TO = $host;
> > }
> > } else {
> > $HOST_TO = 'localhost';
> > }
> > if (defined $SEVERITY) {
> > my $SEVERITY_OK = 0;
> > if ($SEVERITY !~ /^\d+$/) {
> > $SEVERITY = ucfirst(lc($SEVERITY));
> > for my $index (0..$#SEVERITIES) {
> > if ($SEVERITY eq $SEVERITIES[$index]) {
> > $SEVERITY_OK = 1;
> > last;
> > }
> > }
> > unless ($SEVERITY_OK) {
> > print "*** $SEVERITY does not appear to be a valid
> > severity level\n\n";
> > print get_help();
> > exit 1;
> > }
> > } else {
> > if (defined $SEVERITIES[$SEVERITY]) {
> > $SEVERITY = $SEVERITIES[$SEVERITY];
> > } else {
> > print "*** $SEVERITY does not appear to be a valid
> > severity level\n\n";
> > print get_help();
> > exit 1;
> > }
> > }
> > }
> > if (defined $INTERFACE) {
> > unless (4 == grep($_ <= 255, $INTERFACE =~
> > /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/))
> > {
> > print "*** \"$INTERFACE\" does not
> > appear to be a valid IP address\n\n";
> > print get_help();
> > exit 1;
> > }
> > }
> > if (defined $DESCR) {
> > ($DESCR) = simple_parse($DESCR);
> > }
> > if (defined $SERVICE) {
> > ($SERVICE) = simple_parse($SERVICE);
> > }
> > my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
> > gmtime(time);
> > $year += 1900;
> > my $month = $mon;
> > $min = sprintf("%02d", $min);
> > $sec = sprintf("%02d", $sec);
> > my $ap = "AM";
> > $ap = "PM" if ($hour >= 12);
> > $hour = $hour % 12;
> > my @week = ('Sunday', 'Monday',
> > 'Tuesday', 'Wednesday', 'Thursday',
> > 'Friday', 'Saturday');
> > my @month = ('January', 'February',
> > 'March', 'April', 'May',
> > 'June', 'July', 'August',
> > 'September', 'October', 'November',
> > 'December');
> > my $uuidattribute;
> > if (defined $UUID) {
> > $uuidattribute =
> > "uuid=\"$UUID\"";
> > } else {
> > $uuidattribute = "";
> > }
> >
> > my $event = <<END;
> > <log>
> > <events>
> > <event $uuidattribute>
> > <uei>$UEI</uei>
> > <source>$SOURCE</source>
> > END
> > $event .= "
> > <nodeid>$NODEID</nodeid>\n" if
> > (defined $NODEID);
> > $event .= <<END;
> > <time>$week[$wday], $month[$month] $mday, $year
> > $hour:$min:$sec $ap $ZONE</time>
> > <host>$HOSTNAME</host>
> > END
> > $event .= "
> > <interface>$INTERFACE</interface>\n" if
> > (defined $INTERFACE);
> > $event .= "
> > <service>$SERVICE</service>\n" if
> > (defined $SERVICE);
> > if (@PARMS) {
> > $event .= " <parms>\n";
> > for my $parm (@PARMS) {
> > $event .= <<END;
> > <parm>
> >
> > <parmName><![CDATA[$parm->{'name'}]]></parmName>
> > <value type="string"
> > encoding="text"><![CDATA[$parm->{'value'}]]></value>
> > </parm>
> > END
> > }
> > $event .= " </parms>\n";
> > }
> > $event .= "
> > <descr>$DESCR</descr>\n" if
> > (defined $DESCR);
> > $event .= "
> > <severity>$SEVERITY</severity>\n" if
> > (defined $SEVERITY);
> > $event .= "
> > <operinstruct>$OPERINSTR</operinstruct>\n"
> > if (defined $OPERINSTR);
> > $event .= <<END;
> > </event>
> > </events>
> > </log>
> > END
> > print "- sending to $HOST_TO on port
> > $PORT_TO...\n" if ($VERBOSE);
> > my $socket = IO::Socket::INET->new(PeerAddr =>
> > $HOST_TO, PeerPort => $PORT_TO, Proto =>
> > "tcp", Type => SOCK_STREAM)
> > or die "Couldn't connect to $HOST_TO:$PORT_TO -
> > $...@\n";
> > print "$event" if ($VERBOSE);
> > print $socket $event;
> > $socket->close();
> > sub parse_parm {
> > my $parm = shift;
> > my ($name, $value) = split(/\s+/, $parm, 2);
> > return ({ name => $name, value => $value });
> > }
> > sub get_banner {
> > return <<END;
> > Usage: $0 <UEI> [host] [options]
> > END
> > }
> > sub simple_parse {
> > for (@_) {
> > s#\&#\&#gs;
> > s#\<#\<#gs;
> > s#\>#\>#gs;
> > s#\'#\'#gs;
> > s#\"#\"#gs;
> > }
> > return @_;
> > }
> > sub get_help {
> > return (get_banner, <<END);
> > Options:
> > <UEI> the universal event
> > identifier (URI)
> > [host[:port]] a hostname to send the event to
> > (default: localhost)
> > --version, -V print version and exit
> > successfully
> > --verbose, -v print the raw XML that's
> > generated
> > --help, -h this help message
> > --timezone, -t the time zone you are in
> > --service, -s service name
> > --nodeid, -n node identifier (numeric)
> > --interface, -i IP address of the interface
> > --descr, -d a description for the event
> > browser
> > --severity, -x the severity of the event
> > (numeric or name)
> > 1 = Indeterminate
> > 2 = Cleared (unimplemented at
> > this time)
> > 3 = Normal
> > 4 = Warning
> > 5 = Minor
> > 6 = Major
> > 7 = Critical
> > --parm, -p an event parameter (ie:
> > --parm 'url
> > http://www.google.com/')
> > --uuid, -U a UUID to pass with the event
> > Example: Force discovery of a node:
> > send-event.pl \\
> > --interface 172.16.1.1 \\
> >
> > uei.opennms.org/internal/discovery/newSuspect
> > END
> > }
> >
> >
> >
> >
> >
> >
> >
> >
> > Windows Live™: Keep your life in sync. Check it out.
> >
> >
> >
> > Note: The information contained in this message may be
> > privileged and confidential and protected from disclosure.
> > If the reader of this message is not the intended recipient,
> > or an employee or agent responsible for delivering this
> > message to the intended recipient, you are hereby notified
> > that any dissemination, distribution or copying of this
> > communication is strictly prohibited. If you have received
> > this communication in error, please notify us immediately by
> > replying to the message and deleting it from your computer.
> > Thank you. ThruPoint, Inc.
> >
> >
> > _________________________________________________________________
> > Express your personality in color! Preview and select
> > themes for Hotmail®.
> > http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=TXT_MSGTX_WL_HM_express_032009#colortheme------------------------------------------------------------------------------
> > Apps built with the Adobe(R) Flex(R) framework and Flex
> > Builder(TM) are
> > powering Web 2.0 with engaging, cross-platform
> > capabilities. Quickly and
> > easily build your RIAs with Flex Builder, the
> > Eclipse(TM)based development
> > software that enables intelligent coding and step-through
> > debugging.
> > Download the free 60 day trial.
> > http://p.sf.net/sfu/www-adobe-com_______________________________________________
> > Simple-evcorr-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
>
_________________________________________________________________
Windows Live™: Life without walls.
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_032009------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
