On 06/01/2010 12:23 PM, Javier wrote: > Risto, > > ok, but imagine this: my traps have 20 fixed parameters common to all > kind of traps. Each trap of those three, have their own parameters > values, so, how can i process all of them?, i guess with the "father" > OID like this: > > pattern=<generic "father" OID>[\d.]=(\S+) ... 1.3.8.6.[\d.]=(\S+) > > or maybe > > pattern=<generic "father" OID>\[(\d+)\]:(\S+) ... 1.3.8.6.\[(\d+)\]:(\S+) > > which one ??
Hmmm, it's hard to provide any precise suggestions on regular expressions, since I don't know what your input exactly looks like and what exactly you would like to suppress. If you could provide precise examples of the input with a precise problem statement, it would be much easier to help. BR, risto > > And I still haven't clear how to do this rule and how to save the data > to compare with the previous values. > please, Any idea? > > thanks > > 2010/6/1 Risto Vaarandi <risto.vaara...@seb.ee > <mailto:risto.vaara...@seb.ee>> > > On 06/01/2010 11:31 AM, Javier wrote: > > Risto, > > > > yes, you´re right. I receive 3 different traps but from 3 different > > generic OID's but that´s not important. For example > > > > <generic OID1> .1.2.3 A C > > <generic OID2> .1.2.3 A D > > <generic OID3> .1.2.3 B D > > > > and each one of them, brings the raw data: > > > > <generic OID1> .1.2.3 ="OK" > > <generic OID1> .1.2.3.5="234234" > > <generic OID1> .1.2.3.6.7="UP" > > > > As you can see, some of them have more numbers in the OID, so how > can i > > process all of them independently of the amount of numbers in the > OID?. > > If is it not easily acomplished anyway, i guess i can receive the > > relevant data from the same amount of numbers in the OID. > > it should be fairly easy to write a regular expression that handles the > variable amount of numbers. For example, [\d.]+=(\S+) matches any > sequence of numbers and dots that is followed by '=', and it also > assigns the value that follows '=' to a variable $1. > > > > > What about to use Context to save every value from every parameter of > > the trap and when its a data change, write it in another log? (maybe > > that perl script in > http://snmptt.sourceforge.net/docs/snmptt.shtml#SEC > > to trap back). Is it possible??. > > Indeed, you could use contexts for memorizing event correlation state, > but I'd recommend to take advantage of the 'desc' field of a rule. > > BR, > risto > > > > > > > Thank you very much > > > > > > 2010/6/1 Risto Vaarandi <risto.vaara...@seb.ee > <mailto:risto.vaara...@seb.ee> > > <mailto:risto.vaara...@seb.ee <mailto:risto.vaara...@seb.ee>>> > > > > Javier, > > > > if each trap has several parameters that can have different > values, and > > you want to correlate events with the *same* set of values, > this can be > > easily accomplished by setting the 'desc' parameter accordingly. > > > > Suppose that the trap with OID .1.2.3 can have two parameters: > > > > <generic OID> .1.2.3 A C > > <generic OID> .1.2.3 A D > > <generic OID> .1.2.3 B D > > > > With this example, it is obvious that the following rule will > react only > > to the first trap: > > > > type=SingleWithSuppress > > ptype=RegExp > > pattern=<generic OID> (\S+) > > desc=estado $1 > > action=shellcmd /home/javier/send.sh > > window=300 > > > > However, if you rewrite the rule as follows, each trap .1.2.3 > with a > > *different* set of parameter values will be correlated by a > different > > event correlation operation (in other words, if a trap with a > new set of > > parameter values comes in, it is written to the log and then > suppressed > > for 5 minutes): > > > > type=SingleWithSuppress > > ptype=RegExp > > pattern=<generic OID> (\S+) (\S+) (\S+) > > desc=estado $1 $2 $3 > > action=shellcmd /home/javier/send.sh > > window=300 > > > > The key to the solution is to define the 'desc' parameter > correctly, > > since 'desc' defines the scope of event correlation > operations. Similar > > question has been asked many times in this list before, and > since this > > is one of the fundamentals of SEC, please have a look at the > relevant > > section of the man page: > > http://simple-evcorr.sourceforge.net/sec.pl.html#lbAV > > This section explains the relation between rules and event > correlation > > operations, and how the 'desc' parameter influences this. > > > > BR, > > risto > > > > On 06/01/2010 10:32 AM, Javier wrote: > > > Hi, > > > > > > well, that trap comes from a device with several parameters. I > > receive 3 > > > different traps, some common parameters to all traps and others > > only for > > > each trap. A change in the trap is when I receive a different > data in > > > any parameter from the last same trap. > > > > > > I´ve been searching documentation and maybe i could use Context > > to save > > > the data from each parameter and then show it later if it > > changes, but i > > > don´t know exactly how i can do that. Is it possible?. Any > > suggestion? > > > > > > thanks in advance > > > > > > > > > 2010/5/31 Risto Vaarandi <rvaara...@yahoo.com > <mailto:rvaara...@yahoo.com> > > <mailto:rvaara...@yahoo.com <mailto:rvaara...@yahoo.com>> > <mailto:rvaara...@yahoo.com <mailto:rvaara...@yahoo.com> > > <mailto:rvaara...@yahoo.com <mailto:rvaara...@yahoo.com>>>> > > > > > > How do you define a change in the trap? > > > br, > > > risto > > > > > > > > > --- On Mon, 5/31/10, Javier <esj...@gmail.com > <mailto:esj...@gmail.com> > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>> > > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com> > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>>>> wrote: > > > > > > From: Javier <esj...@gmail.com <mailto:esj...@gmail.com> > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>> > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com> > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>>>> > > > Subject: [Simple-evcorr-users] Can SEC help me ?? > > > To: "simple-evcorr-users" > > <simple-evcorr-users@lists.sourceforge.net > <mailto:simple-evcorr-users@lists.sourceforge.net> > > <mailto:simple-evcorr-users@lists.sourceforge.net > <mailto:simple-evcorr-users@lists.sourceforge.net>> > > > <mailto:simple-evcorr-users@lists.sourceforge.net > <mailto:simple-evcorr-users@lists.sourceforge.net> > > <mailto:simple-evcorr-users@lists.sourceforge.net > <mailto:simple-evcorr-users@lists.sourceforge.net>>>> > > > Date: Monday, May 31, 2010, 8:15 PM > > > > > > Hi, > > > > > > i need to make a persistance correlation and i´m not sure if > > SEC can > > > help me. It should goes like this: > > > > > > I receive traps with a determinate OID in a log file as raw > data, > > > then i write the output to a DB to show it later as an alarm. > > > > > > > > > I want to show the first coincidence and i want to > correlate the > > > event to show only when its a change in the trap during a time > > > threshold and if there´s a change in that same event, reset > that > > > time threshold and of course show the changes. I prefer do > it in > > > memory and not in DB... > > > > > > > > > Well, is it possible to do that with SEC? and if yes... > > HOW??? maybe > > > using several rules in the same conf file?? > > > > > > > > > thanks in advance > > > > > > > > > > > > > > > -----Inline Attachment Follows----- > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > -----Inline Attachment Follows----- > > > > > > _______________________________________________ > > > Simple-evcorr-users mailing list > > > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>>> > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > > > > > > _______________________________________________ > > > Simple-evcorr-users mailing list > > > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > ------------------------------------------------------------------------------ > > > > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
