Risto, i have several logs with snmptt, and here is the raw output of two of them hiding some private data between <>:
snmptt.log: Wed May 26 13:12:30 2010 <"father" OID> Normal "Status Events" <IP> - Data notification organization default_organization channel default_channel number 666111222 serviceconf GPRS dirip 87.172.15.19 ...and 20 parameters more snmptthandler.debug: .1.3.6.1.6.3.18.1.4.0 private <"father" OID>.1.1.1.1.1 1 <"father" OID>.1.1.1.2.1 "default_organization" <"father" OID>.1.1.1.1.2 2 <"father" OID>.1.1.1.2.2 "default_channel" <"father" OID>.1.1.1.1.3 3 <"father" OID>.1.1.1.2.3 "666111222" <"father" OID>.1.1.1.1.4 4 <"father" OID>.1.1.1.2.4 "GPRS" <"father" OID>.1.1.1.1.5 5 <"father" OID>.1.1.1.2.5 "87.172.15.19" <"father" OID>.1.1.1.1.6 6 ...and 20 parameters more I know its a little bit weird present this data in this way, but i need to preserve the enterprise OID. Anyway i think it´s enough, isn´t it?. I hope you can help me. I´m still thinking that Contexts it could be a good idea, but i don´t know how to do it. thanks 2010/6/1 Risto Vaarandi <risto.vaara...@seb.ee> > On 06/01/2010 12:23 PM, Javier wrote: > > Risto, > > > > ok, but imagine this: my traps have 20 fixed parameters common to all > > kind of traps. Each trap of those three, have their own parameters > > values, so, how can i process all of them?, i guess with the "father" > > OID like this: > > > > pattern=<generic "father" OID>[\d.]=(\S+) ... 1.3.8.6.[\d.]=(\S+) > > > > or maybe > > > > pattern=<generic "father" OID>\[(\d+)\]:(\S+) ... > 1.3.8.6.\[(\d+)\]:(\S+) > > > > which one ?? > > Hmmm, it's hard to provide any precise suggestions on regular > expressions, since I don't know what your input exactly looks like and > what exactly you would like to suppress. > If you could provide precise examples of the input with a precise > problem statement, it would be much easier to help. > BR, > risto > > > > > And I still haven't clear how to do this rule and how to save the data > > to compare with the previous values. > > please, Any idea? > > > > thanks > > > > 2010/6/1 Risto Vaarandi <risto.vaara...@seb.ee > > <mailto:risto.vaara...@seb.ee>> > > > > On 06/01/2010 11:31 AM, Javier wrote: > > > Risto, > > > > > > yes, you´re right. I receive 3 different traps but from 3 > different > > > generic OID's but that´s not important. For example > > > > > > <generic OID1> .1.2.3 A C > > > <generic OID2> .1.2.3 A D > > > <generic OID3> .1.2.3 B D > > > > > > and each one of them, brings the raw data: > > > > > > <generic OID1> .1.2.3 ="OK" > > > <generic OID1> .1.2.3.5="234234" > > > <generic OID1> .1.2.3.6.7="UP" > > > > > > As you can see, some of them have more numbers in the OID, so how > > can i > > > process all of them independently of the amount of numbers in the > > OID?. > > > If is it not easily acomplished anyway, i guess i can receive the > > > relevant data from the same amount of numbers in the OID. > > > > it should be fairly easy to write a regular expression that handles > the > > variable amount of numbers. For example, [\d.]+=(\S+) matches any > > sequence of numbers and dots that is followed by '=', and it also > > assigns the value that follows '=' to a variable $1. > > > > > > > > What about to use Context to save every value from every parameter > of > > > the trap and when its a data change, write it in another log? > (maybe > > > that perl script in > > http://snmptt.sourceforge.net/docs/snmptt.shtml#SEC > > > to trap back). Is it possible??. > > > > Indeed, you could use contexts for memorizing event correlation > state, > > but I'd recommend to take advantage of the 'desc' field of a rule. > > > > BR, > > risto > > > > > > > > > > > Thank you very much > > > > > > > > > 2010/6/1 Risto Vaarandi <risto.vaara...@seb.ee > > <mailto:risto.vaara...@seb.ee> > > > <mailto:risto.vaara...@seb.ee <mailto:risto.vaara...@seb.ee>>> > > > > > > Javier, > > > > > > if each trap has several parameters that can have different > > values, and > > > you want to correlate events with the *same* set of values, > > this can be > > > easily accomplished by setting the 'desc' parameter > accordingly. > > > > > > Suppose that the trap with OID .1.2.3 can have two parameters: > > > > > > <generic OID> .1.2.3 A C > > > <generic OID> .1.2.3 A D > > > <generic OID> .1.2.3 B D > > > > > > With this example, it is obvious that the following rule will > > react only > > > to the first trap: > > > > > > type=SingleWithSuppress > > > ptype=RegExp > > > pattern=<generic OID> (\S+) > > > desc=estado $1 > > > action=shellcmd /home/javier/send.sh > > > window=300 > > > > > > However, if you rewrite the rule as follows, each trap .1.2.3 > > with a > > > *different* set of parameter values will be correlated by a > > different > > > event correlation operation (in other words, if a trap with a > > new set of > > > parameter values comes in, it is written to the log and then > > suppressed > > > for 5 minutes): > > > > > > type=SingleWithSuppress > > > ptype=RegExp > > > pattern=<generic OID> (\S+) (\S+) (\S+) > > > desc=estado $1 $2 $3 > > > action=shellcmd /home/javier/send.sh > > > window=300 > > > > > > The key to the solution is to define the 'desc' parameter > > correctly, > > > since 'desc' defines the scope of event correlation > > operations. Similar > > > question has been asked many times in this list before, and > > since this > > > is one of the fundamentals of SEC, please have a look at the > > relevant > > > section of the man page: > > > http://simple-evcorr.sourceforge.net/sec.pl.html#lbAV > > > This section explains the relation between rules and event > > correlation > > > operations, and how the 'desc' parameter influences this. > > > > > > BR, > > > risto > > > > > > On 06/01/2010 10:32 AM, Javier wrote: > > > > Hi, > > > > > > > > well, that trap comes from a device with several parameters. I > > > receive 3 > > > > different traps, some common parameters to all traps and others > > > only for > > > > each trap. A change in the trap is when I receive a different > > data in > > > > any parameter from the last same trap. > > > > > > > > I´ve been searching documentation and maybe i could use Context > > > to save > > > > the data from each parameter and then show it later if it > > > changes, but i > > > > don´t know exactly how i can do that. Is it possible?. Any > > > suggestion? > > > > > > > > thanks in advance > > > > > > > > > > > > 2010/5/31 Risto Vaarandi <rvaara...@yahoo.com > > <mailto:rvaara...@yahoo.com> > > > <mailto:rvaara...@yahoo.com <mailto:rvaara...@yahoo.com>> > > <mailto:rvaara...@yahoo.com <mailto:rvaara...@yahoo.com> > > > <mailto:rvaara...@yahoo.com <mailto:rvaara...@yahoo.com>>>> > > > > > > > > How do you define a change in the trap? > > > > br, > > > > risto > > > > > > > > > > > > --- On Mon, 5/31/10, Javier <esj...@gmail.com > > <mailto:esj...@gmail.com> > > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>> > > > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com> > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>>>> wrote: > > > > > > > > From: Javier <esj...@gmail.com <mailto:esj...@gmail.com> > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>> > > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com> > > <mailto:esj...@gmail.com <mailto:esj...@gmail.com>>>> > > > > Subject: [Simple-evcorr-users] Can SEC help me ?? > > > > To: "simple-evcorr-users" > > > <simple-evcorr-users@lists.sourceforge.net > > <mailto:simple-evcorr-users@lists.sourceforge.net> > > > <mailto:simple-evcorr-users@lists.sourceforge.net > > <mailto:simple-evcorr-users@lists.sourceforge.net>> > > > > <mailto:simple-evcorr-users@lists.sourceforge.net > > <mailto:simple-evcorr-users@lists.sourceforge.net> > > > <mailto:simple-evcorr-users@lists.sourceforge.net > > <mailto:simple-evcorr-users@lists.sourceforge.net>>>> > > > > Date: Monday, May 31, 2010, 8:15 PM > > > > > > > > Hi, > > > > > > > > i need to make a persistance correlation and i´m not sure if > > > SEC can > > > > help me. It should goes like this: > > > > > > > > I receive traps with a determinate OID in a log file as raw > > data, > > > > then i write the output to a DB to show it later as an > alarm. > > > > > > > > > > > > I want to show the first coincidence and i want to > > correlate the > > > > event to show only when its a change in the trap during a > time > > > > threshold and if there´s a change in that same event, reset > > that > > > > time threshold and of course show the changes. I prefer do > > it in > > > > memory and not in DB... > > > > > > > > > > > > Well, is it possible to do that with SEC? and if yes... > > > HOW??? maybe > > > > using several rules in the same conf file?? > > > > > > > > > > > > thanks in advance > > > > > > > > > > > > > > > > > > > > -----Inline Attachment Follows----- > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > > > -----Inline Attachment Follows----- > > > > > > > > _______________________________________________ > > > > Simple-evcorr-users mailing list > > > > Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > > <mailto:Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > > > <mailto:Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > > <mailto:Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net>>> > > > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > Simple-evcorr-users mailing list > > > > Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > > <mailto:Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Simple-evcorr-users mailing list > > > Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > > <mailto:Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > > > > > > _______________________________________________ > > > Simple-evcorr-users mailing list > > > Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > > <mailto:Simple-evcorr-users@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > > > > > > ------------------------------------------------------------------------------ > > > > > > > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
