Risto, ok, but imagine this: my traps have 20 fixed parameters common to all kind of traps. Each trap of those three, have their own parameters values, so, how can i process all of them?, i guess with the "father" OID like this:
pattern=<generic "father" OID>[\d.]=(\S+) ... 1.3.8.6.[\d.]=(\S+) or maybe pattern=<generic "father" OID>\[(\d+)\]:(\S+) ... 1.3.8.6.\[(\d+)\]:(\S+) which one ?? And I still haven't clear how to do this rule and how to save the data to compare with the previous values. please, Any idea? thanks 2010/6/1 Risto Vaarandi <risto.vaara...@seb.ee> > On 06/01/2010 11:31 AM, Javier wrote: > > Risto, > > > > yes, you´re right. I receive 3 different traps but from 3 different > > generic OID's but that´s not important. For example > > > > <generic OID1> .1.2.3 A C > > <generic OID2> .1.2.3 A D > > <generic OID3> .1.2.3 B D > > > > and each one of them, brings the raw data: > > > > <generic OID1> .1.2.3 ="OK" > > <generic OID1> .1.2.3.5="234234" > > <generic OID1> .1.2.3.6.7="UP" > > > > As you can see, some of them have more numbers in the OID, so how can i > > process all of them independently of the amount of numbers in the OID?. > > If is it not easily acomplished anyway, i guess i can receive the > > relevant data from the same amount of numbers in the OID. > > it should be fairly easy to write a regular expression that handles the > variable amount of numbers. For example, [\d.]+=(\S+) matches any > sequence of numbers and dots that is followed by '=', and it also > assigns the value that follows '=' to a variable $1. > > > > > What about to use Context to save every value from every parameter of > > the trap and when its a data change, write it in another log? (maybe > > that perl script in http://snmptt.sourceforge.net/docs/snmptt.shtml#SEC > > to trap back). Is it possible??. > > Indeed, you could use contexts for memorizing event correlation state, > but I'd recommend to take advantage of the 'desc' field of a rule. > > BR, > risto > > > > > > > Thank you very much > > > > > > 2010/6/1 Risto Vaarandi <risto.vaara...@seb.ee > > <mailto:risto.vaara...@seb.ee>> > > > > Javier, > > > > if each trap has several parameters that can have different values, > and > > you want to correlate events with the *same* set of values, this can > be > > easily accomplished by setting the 'desc' parameter accordingly. > > > > Suppose that the trap with OID .1.2.3 can have two parameters: > > > > <generic OID> .1.2.3 A C > > <generic OID> .1.2.3 A D > > <generic OID> .1.2.3 B D > > > > With this example, it is obvious that the following rule will react > only > > to the first trap: > > > > type=SingleWithSuppress > > ptype=RegExp > > pattern=<generic OID> (\S+) > > desc=estado $1 > > action=shellcmd /home/javier/send.sh > > window=300 > > > > However, if you rewrite the rule as follows, each trap .1.2.3 with a > > *different* set of parameter values will be correlated by a different > > event correlation operation (in other words, if a trap with a new set > of > > parameter values comes in, it is written to the log and then > suppressed > > for 5 minutes): > > > > type=SingleWithSuppress > > ptype=RegExp > > pattern=<generic OID> (\S+) (\S+) (\S+) > > desc=estado $1 $2 $3 > > action=shellcmd /home/javier/send.sh > > window=300 > > > > The key to the solution is to define the 'desc' parameter correctly, > > since 'desc' defines the scope of event correlation operations. > Similar > > question has been asked many times in this list before, and since > this > > is one of the fundamentals of SEC, please have a look at the relevant > > section of the man page: > > http://simple-evcorr.sourceforge.net/sec.pl.html#lbAV > > This section explains the relation between rules and event > correlation > > operations, and how the 'desc' parameter influences this. > > > > BR, > > risto > > > > On 06/01/2010 10:32 AM, Javier wrote: > > > Hi, > > > > > > well, that trap comes from a device with several parameters. I > > receive 3 > > > different traps, some common parameters to all traps and others > > only for > > > each trap. A change in the trap is when I receive a different data > in > > > any parameter from the last same trap. > > > > > > I´ve been searching documentation and maybe i could use Context > > to save > > > the data from each parameter and then show it later if it > > changes, but i > > > don´t know exactly how i can do that. Is it possible?. Any > > suggestion? > > > > > > thanks in advance > > > > > > > > > 2010/5/31 Risto Vaarandi <rvaara...@yahoo.com > > <mailto:rvaara...@yahoo.com> <mailto:rvaara...@yahoo.com > > <mailto:rvaara...@yahoo.com>>> > > > > > > How do you define a change in the trap? > > > br, > > > risto > > > > > > > > > --- On Mon, 5/31/10, Javier <esj...@gmail.com > > <mailto:esj...@gmail.com> > > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>>> wrote: > > > > > > From: Javier <esj...@gmail.com <mailto:esj...@gmail.com> > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>>> > > > Subject: [Simple-evcorr-users] Can SEC help me ?? > > > To: "simple-evcorr-users" > > <simple-evcorr-users@lists.sourceforge.net > > <mailto:simple-evcorr-users@lists.sourceforge.net> > > > <mailto:simple-evcorr-users@lists.sourceforge.net > > <mailto:simple-evcorr-users@lists.sourceforge.net>>> > > > Date: Monday, May 31, 2010, 8:15 PM > > > > > > Hi, > > > > > > i need to make a persistance correlation and i´m not sure if > > SEC can > > > help me. It should goes like this: > > > > > > I receive traps with a determinate OID in a log file as raw > data, > > > then i write the output to a DB to show it later as an alarm. > > > > > > > > > I want to show the first coincidence and i want to correlate > the > > > event to show only when its a change in the trap during a time > > > threshold and if there´s a change in that same event, reset > that > > > time threshold and of course show the changes. I prefer do it > in > > > memory and not in DB... > > > > > > > > > Well, is it possible to do that with SEC? and if yes... > > HOW??? maybe > > > using several rules in the same conf file?? > > > > > > > > > thanks in advance > > > > > > > > > > > > > > > -----Inline Attachment Follows----- > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > -----Inline Attachment Follows----- > > > > > > _______________________________________________ > > > Simple-evcorr-users mailing list > > > Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > > <mailto:Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > > > > > > _______________________________________________ > > > Simple-evcorr-users mailing list > > > Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
