Risto, yes, you´re right. I receive 3 different traps but from 3 different generic OID's but that´s not important. For example
<generic OID1> .1.2.3 A C <generic OID2> .1.2.3 A D <generic OID3> .1.2.3 B D and each one of them, brings the raw data: <generic OID1> .1.2.3 ="OK" <generic OID1> .1.2.3.5="234234" <generic OID1> .1.2.3.6.7="UP" As you can see, some of them have more numbers in the OID, so how can i process all of them independently of the amount of numbers in the OID?. If is it not easily acomplished anyway, i guess i can receive the relevant data from the same amount of numbers in the OID. What about to use Context to save every value from every parameter of the trap and when its a data change, write it in another log? (maybe that perl script in http://snmptt.sourceforge.net/docs/snmptt.shtml#SEC to trap back). Is it possible??. Thank you very much 2010/6/1 Risto Vaarandi <risto.vaara...@seb.ee> > Javier, > > if each trap has several parameters that can have different values, and > you want to correlate events with the *same* set of values, this can be > easily accomplished by setting the 'desc' parameter accordingly. > > Suppose that the trap with OID .1.2.3 can have two parameters: > > <generic OID> .1.2.3 A C > <generic OID> .1.2.3 A D > <generic OID> .1.2.3 B D > > With this example, it is obvious that the following rule will react only > to the first trap: > > type=SingleWithSuppress > ptype=RegExp > pattern=<generic OID> (\S+) > desc=estado $1 > action=shellcmd /home/javier/send.sh > window=300 > > However, if you rewrite the rule as follows, each trap .1.2.3 with a > *different* set of parameter values will be correlated by a different > event correlation operation (in other words, if a trap with a new set of > parameter values comes in, it is written to the log and then suppressed > for 5 minutes): > > type=SingleWithSuppress > ptype=RegExp > pattern=<generic OID> (\S+) (\S+) (\S+) > desc=estado $1 $2 $3 > action=shellcmd /home/javier/send.sh > window=300 > > The key to the solution is to define the 'desc' parameter correctly, > since 'desc' defines the scope of event correlation operations. Similar > question has been asked many times in this list before, and since this > is one of the fundamentals of SEC, please have a look at the relevant > section of the man page: > http://simple-evcorr.sourceforge.net/sec.pl.html#lbAV > This section explains the relation between rules and event correlation > operations, and how the 'desc' parameter influences this. > > BR, > risto > > On 06/01/2010 10:32 AM, Javier wrote: > > Hi, > > > > well, that trap comes from a device with several parameters. I receive 3 > > different traps, some common parameters to all traps and others only for > > each trap. A change in the trap is when I receive a different data in > > any parameter from the last same trap. > > > > I´ve been searching documentation and maybe i could use Context to save > > the data from each parameter and then show it later if it changes, but i > > don´t know exactly how i can do that. Is it possible?. Any suggestion? > > > > thanks in advance > > > > > > 2010/5/31 Risto Vaarandi <rvaara...@yahoo.com <mailto: > rvaara...@yahoo.com>> > > > > How do you define a change in the trap? > > br, > > risto > > > > > > --- On Mon, 5/31/10, Javier <esj...@gmail.com > > <mailto:esj...@gmail.com>> wrote: > > > > From: Javier <esj...@gmail.com <mailto:esj...@gmail.com>> > > Subject: [Simple-evcorr-users] Can SEC help me ?? > > To: "simple-evcorr-users" <simple-evcorr-users@lists.sourceforge.net > > <mailto:simple-evcorr-users@lists.sourceforge.net>> > > Date: Monday, May 31, 2010, 8:15 PM > > > > Hi, > > > > i need to make a persistance correlation and i´m not sure if SEC can > > help me. It should goes like this: > > > > I receive traps with a determinate OID in a log file as raw data, > > then i write the output to a DB to show it later as an alarm. > > > > > > I want to show the first coincidence and i want to correlate the > > event to show only when its a change in the trap during a time > > threshold and if there´s a change in that same event, reset that > > time threshold and of course show the changes. I prefer do it in > > memory and not in DB... > > > > > > Well, is it possible to do that with SEC? and if yes... HOW??? maybe > > using several rules in the same conf file?? > > > > > > thanks in advance > > > > > > > > > > -----Inline Attachment Follows----- > > > > > ------------------------------------------------------------------------------ > > > > > > -----Inline Attachment Follows----- > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
