A quick question -- did you save the foobar string into your input file
_before_ starting SEC? SEC does not read in already existing lines by default,
but rather jumps to the end of the file and waits for new lines to arrive. Try
to start SEC first and then type 'echo foobar >> yourfile' -- does it make any
difference?
br,
risto
> Risto,
>
>
>
> No, I am running SEC in regular mode (-nodetach) and yes,
> i'm using SEC log as well which just shows the rule was
> found and the send-event.pl command was executed
> successfully... Here's an update:
>
>
>
> I replaced the pattern in my.conf with a much more simpler
> one:
>
> my.conf
>
> # Example my.conf
>
> # Recognize a pattern and execute send-event.pl
>
> #
>
> type=Single
>
> ptype=RegExp
>
> pattern=foobar
>
> desc=$0
>
> action=shellcmd ./honia.sh
>
>
>
> honia.sh
>
> #!/bin/sh
>
> # Shell command for sending events to OpenNMS via
> send-event.pl
>
> #
>
> ./send-event.pl
> uei.mycompany.net/generic/collectd/inconsistentconfig -i
> 192.168.1.1
>
>
>
> Now, when I run SEC, if I leave the input as input=- and
> type the word foobar at the runtime, it workes and the
> send-event would be called and will send the event to ONMS
> successfully. (See output 1)
>
>
> But if I save the word foobar into a file and name it
> monitor.me or something else, SEC will not match anything
> and therefore send-event will not be called (See output 1).
> Here are the outputs I get for each cases:
>
>
>
> Output 1:
>
> [r...@servername sec-2.5.0]# ./sec.pl -conf=my.conf
> -input=-
> SEC (Simple Event Correlator) 2.5.0
> Reading configuration from my.conf
> 1 rules loaded from my.conf
> Stdin connected to terminal, handler for SIGINT not
> installed
> foobar
> Executing shell command './honia.sh'
> Child 9126 created for command './honia.sh'
>
>
> Output 2:
> [r...@servername sec-2.5.0]# ./sec.pl -conf=my.conf
> -input=monitor.me
> SEC (Simple Event Correlator) 2.5.0
> Reading configuration from my.conf
> 1 rules loaded from my.conf
> Stdin connected to terminal, handler for SIGINT not
> installed
>
>
> monitor.me
>
> foobar
>
>
>
>
>
> At this point my questions are:
>
>
>
> 1) Why SEC can read the input from terminal and not from
> the input file?
>
>
>
> 2) What would be the simplest pattern that matches only the
> log lines with the word CONFIG in them and doesn't match
> the ones with the word NOCONFIG?
>
>
>
> Thanks in advance,
>
> Honia
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> > Date: Wed, 11 Mar 2009 12:25:12 -0700
> > From: rvaara...@yahoo.com
> > Subject: Re: [Simple-evcorr-users] SEC conf file and
> shellcmd??
> > To: jbr...@thrupoint.net;
> simple-evcorr-users@lists.sourceforge.net;
> honia2...@hotmail.com
> >
> >
> > Honia,
> > are you running SEC in the daemon mode (with the
> -detach option)? If so, all scripts in your rule files
> *must* be specified with full path names, since in the
> daemon mode SEC changes its working directory to /.
> > Also, have you activated logging for SEC with the -log
> option? If so, what kind of messages are appearing in the
> SEC log file about the script execution?
> > br,
> > risto
> >
> > > James,
> > >
> > >
> > >
> > > Thanks for trying to help me...I did what you
> said
> > > regarding send-event.pl modifications and
> unfortunately
> > > didn't get the same output as yours...same
> thing again,
> > > saying it's running but it doesn't.
> > >
> > >
> > >
> > > Getting it to work with a remote host is not an
> option fir
> > > me right now, SEC and the destination (opennms)
> are both
> > > located on the same host, so it should be pretty
> straight
> > > forward to run send-event.pl from inside SEC and
> generate a
> > > simple event...
> > >
> > >
> > >
> > > Regarding what you mentioned about the action
> being just
> > > one long line, do you think SEC fails to read the
> entire
> > > line as one and because of the "-" and
> the
> > > whitespaces it thinks it might be two lines or
> something?
> > >
> > > To test that, i put the action is a .sh file and
> named it
> > > honia.sh:
> > >
> > >
> > >
> > > #!/bin/sh
> > >
> > > # Shell command for sending events to OpenNMS via
> > > send-event.pl
> > >
> > > #
> > >
> > > ./send-event.pl
> > >
> uei.mycompany.net/generic/collectd/inconsistentconfig -i
> > > 192.168.1.1
> > >
> > >
> > >
> > > Then modified the action line:
> > >
> > > action=shellcmd ./honia.sh
> > >
> > >
> > >
> > > But it still doesn't work. I checked the
> permissions
> > > and everything looks good...
> > >
> > >
> > > Any help will be much appreciated!
> > >
> > >
> > >
> > > honia
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Subject: RE: [Simple-evcorr-users] SEC conf file
> and
> > > shellcmd??
> > > Date: Wed, 11 Mar 2009 11:38:33 -0400
> > > From: jbr...@thrupoint.net
> > > To: honia2...@hotmail.com
> > >
> > >
> > >
> > >
> > >
> > > Hi Honia,
> > >
> > > OK, I loaded up send-event.pl on my system.
> > >
> > > Basically, this script take the parameters on the
> command
> > > line and
> > > creates some XML tags. It then opens a socket
> connection
> > > to the
> > > host you specify on the command line, sends the
> XML
> > > entries, and closes
> > > the socket.
> > >
> > > Since I don't have any other as a destination
> target, I
> > > made the following changes
> > > so I could run it locally:
> > >
> > >
> > > # out jpb my $socket =
> IO::Socket::INET->new(PeerAddr
> > > => $HOST_TO, PeerPort => $PORT_TO, Proto
> =>
> > > "tcp", Type => SOCK_STREAM)
> > > # out jpb or die "Couldn't connect to
> > > $HOST_TO:$PORT_TO - $...@\n";
> > > print "$event" if ($VERBOSE);
> > > # one new line jpb
> > > print "[[[$event]]]";
> > > # out jpb print $socket $event;
> > > # out jpb $socket->close();
> > >
> > > These changes just comment out the socket
> connection and
> > > print the XML on standard out.
> > >
> > > I have the following config (careful of word
> wrap- the
> > > action line is just one long line):
> > >
> > > type=Single
> > > ptype=RegExp
> > > pattern=\[\d{4}(-\d\d){2}
> > >
> (\d\d:){2}\d\d\].\s*Notification:\sseverity\s*=\s*([^,]*),\s*message\s=.\s*(\S+)\|(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\|(CONFIG)
> > > desc=$0
> > > action=shellcmd
> /opt/UBS/prod/test/jpb/send-event.pl
> > >
> uei.mycompany.net/generic/collectd/inconsistentconfig -i
> > > 1.1.1.1
> > >
> > >
> > > I ran it like this, and copied your input into
> file z.z:
> > >
> > > r...@logmon:/opt/UBS/prod/test/jpb#perl
> > > ../../scripts/sec.pl -conf=t.conf -input=z.z
> > > Simple Event Correlator version 2.1.9
> > > Reading configuration from t.conf
> > > 1 rules loaded from t.conf
> > > Executing shell command
> > > '/opt/UBS/prod/test/jpb/send-event.pl
> > >
> uei.mycompany.net/generic/collectd/inconsistentconfig -i
> > > 1.1.1.1'
> > > Child 7952 created for command
> > > '/opt/UBS/prod/test/jpb/send-event.pl
> > >
> uei.mycompany.net/generic/collectd/inconsistentconfig -i
> > > 1.1.1.1'
> > > [[[<log>
> > > <events>
> > > <event >
> > >
> > >
> <uei>uei.mycompany.net/generic/collectd/inconsistentconfig</uei>
> > > <source>perl_send_event</source>
> > > <time>Wednesday, March 11, 2009 4:16:33 PM
> > > GMT</time>
> > > <host>logmon.soc.mtesta.eu</host>
> > > <interface>1.1.1.1</interface>
> > > </event>
> > > </events>
> > > </log>
> > > ]]]
> > >
> > >
> > > I would say at this point, that sec is not the
> problem.
> > > You should see the same output.
> > >
> > > Also, I noticed that send-event.pl can send to a
> remote
> > > host. Undo the changes to send-event.pl
> > > we made above, and try it again, with a parameter
> for
> > > sending to a remote host.
> > > While it's running, use wireshark or tcpdump
> or snoop
> > > to monitor the network traffic. You should see
> the
> > > above entry somewhere in that traffic.
> > >
> > > I hope this helps,
> > > Jim B.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > From: Honia A [mailto:honia2...@hotmail.com]
> > > Sent: Wed 3/11/2009 2:46 PM
> > > To: SEC
> > > Subject: Re: [Simple-evcorr-users] SEC conf file
> and
> > > shellcmd?
> > >
> > >
> > >
> > > Hi Jim,
> > >
> > > Thanks for your reply. I did everything you said
> and here
> > > are the results:
> > >
> > > 1) action=write - OKOKOKOK: $0 worked fine
> > >
> > > 2) I found out SEC skips all the lines if I
> don't use
> > > -notail...so I added -notail to the ./sec.pl
> command now
> > >
> > > 3) Changed my.conf so that SEC execute t.pl and
> it worked
> > > just fine...
> > >
> > > 4) Checked send-event.pl permission and it was
> 0755 which
> > > is fine. I even changed it to 0777 but still
> didn't
> > > work. I paste the code for send-event.pl at the
> end of this
> > > email for your review...I didn't seem to find
> anything
> > > wrong about it...may be it calls other files and
> the
> > > permssion of those files are not set properly.
> May be you
> > > could take a look at it if possible :-)
> > >
> > > I even moved the sen-event.pl file to the same
> directory as
> > > sec but it still doesn't work. (got no errors
> or
> > > anything)
> > >
> > > 5)
> uei.mycompany.net/generic/collectd/inconsistentconfig
> > > is just a label and not a path...so, it should be
> fine.
> > >
> > >
> > > So at this point, we know that if if I run this
> command
> > > directly from the terminal it works just fine:
> > >
> > > [r...@servername sec-2.5.0]# ./send-event.pl
> > >
> uei.mycompany.net/generic/collectd/inconsistentconfig -i
> > > 192.168.1.1
> > >
> > > But if I have SEC run that as a shellcmd command
> it
> > > fails...
> > >
> > > Please help me,
> > >
> > > Thanks in advance,
> > > Honia
> > >
> > >
> > > Here's the send-event.pl code:
> > >
> > > #!/usr/bin/perl
> > > use strict;
> > > use Getopt::Long;
> > > use IO::Socket;
> > > use POSIX qw(strftime);
> > > use vars qw(
> > > $VERSION
> > > $DESCR
> > > $HOSTNAME
> > > $INTERFACE
> > > $NODEID
> > > $SERVICE
> > > $SEVERITY
> > > $SOURCE
> > > $UEI
> > > $UUID
> > > $VERBOSE
> > > $ZONE
> > > $OPERINSTR
> > > @PARMS
> > > @SEVERITIES
> > > $HOST_TO
> > > $PORT_TO
> > > );
> > > $VERSION = '0.3';
> > > $VERBOSE = 0;
> > > $ZONE = 'GMT';
> > > @SEVERITIES = ( undef, 'Indeterminate',
> > > 'Cleared', 'Normal',
> 'Warning',
> > > 'Minor', 'Major',
> 'Critical' );
> > >
> > > my $help = 0;
> > > my $version = 0;
> > > my $result = GetOptions("help|h" =>
> > > \$help,
> > > "descr|d=s" =>
> > > \$DESCR,
> > > "interface|i=s" =>
> > > \$INTERFACE,
> > > "nodeid|n=i" =>
> > > \$NODEID,
> > > "parm|p=s" =>
> > > \...@parms,
> > > "service|s=s" =>
> > > \$SERVICE,
> > > "uuid|U=i" =>
> > > \$UUID,
> > > "version|V" =>
> > > \$version,
> > > "verbose|v" =>
> > > \$VERBOSE,
> > > "severity|x=i" =>
> > > \$SEVERITY,
> > > "operinstr|o=s" =>
> > > \$OPERINSTR);
> > > if (! $result) { print get_help(); exit; }
> > > if ($version) { print "$0 version
> > > $VERSION\n"; exit; }
> > > if ($help) { print get_help(); exit; }
> > > # parm array is numerically referenced in
> OpenNMS'
> > > templates
> > > @PARMS = reverse map { parse_parm($_) } @PARMS;
> > > chomp (my $hostname = `hostname`);
> > > my @addr = gethostbyname($hostname);
> > > $SOURCE = 'perl_send_event';
> > > $HOSTNAME = gethostbyaddr($addr[4], 2);
> > > $UEI = $ARGV[0];
> > > $HOST_TO = $ARGV[1];
> > > $PORT_TO = 5817;
> > > #### bounds-checking on various inputs
> > > # UEI
> > > if (defined $UEI) {
> > > unless (grep(m#uei#, $UEI)) {
> > > print "*** \"$UEI\" does
> not
> > > appear to be a valid UEI\n\n";
> > > print get_help();
> > > exit 1;
> > > }
> > > } else {
> > > print get_banner(), "the UEI is a required
> > > field!\n";
> > > print get_help();
> > > exit 1;
> > > }
> > > if (defined $HOST_TO) {
> > > my ($host, $port) = split(/:/, $HOST_TO);
> > > if ($port =~ /^\d+$/ and $port > 0) {
> > > $PORT_TO = $port;
> > > }
> > > if ($host ne "") {
> > > $HOST_TO = $host;
> > > }
> > > } else {
> > > $HOST_TO = 'localhost';
> > > }
> > > if (defined $SEVERITY) {
> > > my $SEVERITY_OK = 0;
> > > if ($SEVERITY !~ /^\d+$/) {
> > > $SEVERITY = ucfirst(lc($SEVERITY));
> > > for my $index (0..$#SEVERITIES) {
> > > if ($SEVERITY eq $SEVERITIES[$index]) {
> > > $SEVERITY_OK = 1;
> > > last;
> > > }
> > > }
> > > unless ($SEVERITY_OK) {
> > > print "*** $SEVERITY does not appear to be a
> valid
> > > severity level\n\n";
> > > print get_help();
> > > exit 1;
> > > }
> > > } else {
> > > if (defined $SEVERITIES[$SEVERITY]) {
> > > $SEVERITY = $SEVERITIES[$SEVERITY];
> > > } else {
> > > print "*** $SEVERITY does not appear to be a
> valid
> > > severity level\n\n";
> > > print get_help();
> > > exit 1;
> > > }
> > > }
> > > }
> > > if (defined $INTERFACE) {
> > > unless (4 == grep($_ <= 255, $INTERFACE =~
> > >
> /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/))
> > > {
> > > print "*** \"$INTERFACE\"
> does not
> > > appear to be a valid IP
> address\n\n";
> > > print get_help();
> > > exit 1;
> > > }
> > > }
> > > if (defined $DESCR) {
> > > ($DESCR) = simple_parse($DESCR);
> > > }
> > > if (defined $SERVICE) {
> > > ($SERVICE) = simple_parse($SERVICE);
> > > }
> > > my
> ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) =
> > > gmtime(time);
> > > $year += 1900;
> > > my $month = $mon;
> > > $min = sprintf("%02d", $min);
> > > $sec = sprintf("%02d", $sec);
> > > my $ap = "AM";
> > > $ap = "PM" if ($hour >= 12);
> > > $hour = $hour % 12;
> > > my @week = ('Sunday', 'Monday',
> > > 'Tuesday', 'Wednesday',
> 'Thursday',
> > > 'Friday', 'Saturday');
> > > my @month = ('January',
> 'February',
> > > 'March', 'April', 'May',
> > > 'June', 'July', 'August',
> > > 'September', 'October',
> 'November',
> > > 'December');
> > > my $uuidattribute;
> > > if (defined $UUID) {
> > > $uuidattribute =
> > > "uuid=\"$UUID\"";
> > > } else {
> > > $uuidattribute = "";
> > > }
> > >
> > > my $event = <<END;
> > > <log>
> > > <events>
> > > <event $uuidattribute>
> > > <uei>$UEI</uei>
> > > <source>$SOURCE</source>
> > > END
> > > $event .= "
> > > <nodeid>$NODEID</nodeid>\n"
> if
> > > (defined $NODEID);
> > > $event .= <<END;
> > > <time>$week[$wday], $month[$month] $mday,
> $year
> > > $hour:$min:$sec $ap $ZONE</time>
> > > <host>$HOSTNAME</host>
> > > END
> > > $event .= "
> > >
> <interface>$INTERFACE</interface>\n" if
> > > (defined $INTERFACE);
> > > $event .= "
> > >
> <service>$SERVICE</service>\n" if
> > > (defined $SERVICE);
> > > if (@PARMS) {
> > > $event .= " <parms>\n";
> > > for my $parm (@PARMS) {
> > > $event .= <<END;
> > > <parm>
> > >
> > >
> <parmName><![CDATA[$parm->{'name'}]]></parmName>
> > > <value type="string"
> > >
> encoding="text"><![CDATA[$parm->{'value'}]]></value>
> > > </parm>
> > > END
> > > }
> > > $event .= " </parms>\n";
> > > }
> > > $event .= "
> > > <descr>$DESCR</descr>\n" if
> > > (defined $DESCR);
> > > $event .= "
> > >
> <severity>$SEVERITY</severity>\n" if
> > > (defined $SEVERITY);
> > > $event .= "
> > >
> <operinstruct>$OPERINSTR</operinstruct>\n"
> > > if (defined $OPERINSTR);
> > > $event .= <<END;
> > > </event>
> > > </events>
> > > </log>
> > > END
> > > print "- sending to $HOST_TO on port
> > > $PORT_TO...\n" if ($VERBOSE);
> > > my $socket = IO::Socket::INET->new(PeerAddr
> =>
> > > $HOST_TO, PeerPort => $PORT_TO, Proto =>
> > > "tcp", Type => SOCK_STREAM)
> > > or die "Couldn't connect to
> $HOST_TO:$PORT_TO -
> > > $...@\n";
> > > print "$event" if ($VERBOSE);
> > > print $socket $event;
> > > $socket->close();
> > > sub parse_parm {
> > > my $parm = shift;
> > > my ($name, $value) = split(/\s+/, $parm, 2);
> > > return ({ name => $name, value => $value
> });
> > > }
> > > sub get_banner {
> > > return <<END;
> > > Usage: $0 <UEI> [host] [options]
> > > END
> > > }
> > > sub simple_parse {
> > > for (@_) {
> > > s#\&#\&#gs;
> > > s#\<#\<#gs;
> > > s#\>#\>#gs;
> > > s#\'#\'#gs;
> > > s#\"#\"#gs;
> > > }
> > > return @_;
> > > }
> > > sub get_help {
> > > return (get_banner, <<END);
> > > Options:
> > > <UEI> the universal event
> > > identifier (URI)
> > > [host[:port]] a hostname to send the event to
> > > (default: localhost)
> > > --version, -V print version and exit
> > > successfully
> > > --verbose, -v print the raw XML that's
> > > generated
> > > --help, -h this help message
> > > --timezone, -t the time zone you are in
> > > --service, -s service name
> > > --nodeid, -n node identifier (numeric)
> > > --interface, -i IP address of the interface
> > > --descr, -d a description for the event
> > > browser
> > > --severity, -x the severity of the event
> > > (numeric or name)
> > > 1 = Indeterminate
> > > 2 = Cleared (unimplemented at
> > > this time)
> > > 3 = Normal
> > > 4 = Warning
> > > 5 = Minor
> > > 6 = Major
> > > 7 = Critical
> > > --parm, -p an event parameter (ie:
> > > --parm 'url
> > > http://www.google.com/')
> > > --uuid, -U a UUID to pass with the event
> > > Example: Force discovery of a node:
> > > send-event.pl \\
> > > --interface 172.16.1.1 \\
> > >
> > > uei.opennms.org/internal/discovery/newSuspect
> > > END
> > > }
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Windows Live™: Keep your life in sync. Check it
> out.
> > >
> > >
> > >
> > > Note: The information contained in this message
> may be
> > > privileged and confidential and protected from
> disclosure.
> > > If the reader of this message is not the intended
> recipient,
> > > or an employee or agent responsible for
> delivering this
> > > message to the intended recipient, you are hereby
> notified
> > > that any dissemination, distribution or copying
> of this
> > > communication is strictly prohibited. If you have
> received
> > > this communication in error, please notify us
> immediately by
> > > replying to the message and deleting it from your
> computer.
> > > Thank you. ThruPoint, Inc.
> > >
> > >
> > >
> _________________________________________________________________
> > > Express your personality in color! Preview and
> select
> > > themes for Hotmail®.
> > >
> http://www.windowslive-hotmail.com/LearnMore/personalize.aspx?ocid=TXT_MSGTX_WL_HM_express_032009#colortheme------------------------------------------------------------------------------
> > > Apps built with the Adobe(R) Flex(R) framework
> and Flex
> > > Builder(TM) are
> > > powering Web 2.0 with engaging, cross-platform
> > > capabilities. Quickly and
> > > easily build your RIAs with Flex Builder, the
> > > Eclipse(TM)based development
> > > software that enables intelligent coding and
> step-through
> > > debugging.
> > > Download the free 60 day trial.
> > >
> http://p.sf.net/sfu/www-adobe-com_______________________________________________
> > > Simple-evcorr-users mailing list
> > > Simple-evcorr-users@lists.sourceforge.net
> > >
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
> >
> >
> >
>
> _________________________________________________________________
> Windows Live™: Life without walls.
> http://windowslive.com/explore?ocid=TXT_TAGLM_WL_allup_1a_explore_032009
------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
